feat: 兼容ufw

h2zi · h2zi · commit 583c1fe9619d · 2026-02-11T21:37:00.000+08:00
diff --git a/internal/service/installer.go b/internal/service/installer.go
@@ -507,7 +507,7 @@ func (i *installer) downloadPanel(ctx context.Context, cfg *types.InstallConfig)
 }
 
 func (i *installer) configureFirewall(ctx context.Context, cfg *types.InstallConfig) error {
-	// 安装firewalld
+	// 安装防火墙
 	if err := i.firewall.Install(ctx); err != nil {
 		return err
 	}
diff --git a/internal/system/firewall.go b/internal/system/firewall.go
@@ -45,27 +45,37 @@ func (f *firewall) Install(ctx context.Context) error {
 		return fmt.Errorf("%s", i18n.T.Get("Unsupported operating system"))
 	}
 
-	// Debian/Ubuntu 需要先禁用并卸载 ufw
 	if info.OS == types.OSDebian || info.OS == types.OSUbuntu {
-		_, _ = f.executor.Run(ctx, "ufw", "disable")
-		_, _ = f.executor.Run(ctx, "systemctl", "stop", "ufw")
-		_, _ = f.executor.Run(ctx, "systemctl", "disable", "ufw")
-		_ = pkgMgr.Remove(ctx, "ufw")
-
-		// 还有个傻逼 cloud-init 和 firewalld 冲突
-		_ = pkgMgr.Remove(ctx, "cloud-init")
+		return pkgMgr.Install(ctx, "ufw")
 	}
 
 	return pkgMgr.Install(ctx, "firewalld")
 }
 
 func (f *firewall) Enable(ctx context.Context) error {
+	ufw, err := f.isUFW(ctx)
+	if err != nil {
+		return err
+	}
+
+	if ufw {
+		result, err := f.executor.Run(ctx, "ufw", "--force", "enable")
+		if err != nil {
+			return err
+		}
+		if result.ExitCode != 0 {
+			return fmt.Errorf("%s: %s", i18n.T.Get("Failed to enable firewall"), result.Stderr)
+		}
+		return nil
+	}
+
+	// firewalld
 	result, err := f.executor.Run(ctx, "systemctl", "enable", "--now", "firewalld")
 	if err != nil {
 		return err
 	}
 	if result.ExitCode != 0 {
-		return fmt.Errorf("%s: %s", i18n.T.Get("Failed to enable firewalld"), result.Stderr)
+		return fmt.Errorf("%s: %s", i18n.T.Get("Failed to enable firewall"), result.Stderr)
 	}
 
 	// 设置默认zone
@@ -74,7 +84,24 @@ func (f *firewall) Enable(ctx context.Context) error {
 }
 
 func (f *firewall) AddPort(ctx context.Context, port int, protocol string) error {
+	ufw, err := f.isUFW(ctx)
+	if err != nil {
+		return err
+	}
+
 	portStr := fmt.Sprintf("%d/%s", port, protocol)
+
+	if ufw {
+		result, err := f.executor.Run(ctx, "ufw", "allow", portStr)
+		if err != nil {
+			return err
+		}
+		if result.ExitCode != 0 {
+			return fmt.Errorf("%s %s: %s", i18n.T.Get("Failed to add port"), portStr, result.Stderr)
+		}
+		return nil
+	}
+
 	result, err := f.executor.Run(ctx, "firewall-cmd", "--permanent", "--zone=public", "--add-port="+portStr)
 	if err != nil {
 		return err
@@ -86,7 +113,24 @@ func (f *firewall) AddPort(ctx context.Context, port int, protocol string) error
 }
 
 func (f *firewall) RemovePort(ctx context.Context, port int, protocol string) error {
+	ufw, err := f.isUFW(ctx)
+	if err != nil {
+		return err
+	}
+
 	portStr := fmt.Sprintf("%d/%s", port, protocol)
+
+	if ufw {
+		result, err := f.executor.Run(ctx, "ufw", "delete", "allow", portStr)
+		if err != nil {
+			return err
+		}
+		if result.ExitCode != 0 {
+			return fmt.Errorf("%s %s: %s", i18n.T.Get("Failed to remove port"), portStr, result.Stderr)
+		}
+		return nil
+	}
+
 	result, err := f.executor.Run(ctx, "firewall-cmd", "--permanent", "--zone=public", "--remove-port="+portStr)
 	if err != nil {
 		return err
@@ -98,6 +142,22 @@ func (f *firewall) RemovePort(ctx context.Context, port int, protocol string) er
 }
 
 func (f *firewall) Reload(ctx context.Context) error {
+	ufw, err := f.isUFW(ctx)
+	if err != nil {
+		return err
+	}
+
+	if ufw {
+		result, err := f.executor.Run(ctx, "ufw", "reload")
+		if err != nil {
+			return err
+		}
+		if result.ExitCode != 0 {
+			return fmt.Errorf("%s: %s", i18n.T.Get("Failed to reload firewall"), result.Stderr)
+		}
+		return nil
+	}
+
 	result, err := f.executor.Run(ctx, "firewall-cmd", "--reload")
 	if err != nil {
 		return err
@@ -107,3 +167,11 @@ func (f *firewall) Reload(ctx context.Context) error {
 	}
 	return nil
 }
+
+func (f *firewall) isUFW(ctx context.Context) (bool, error) {
+	info, err := f.detector.Detect(ctx)
+	if err != nil {
+		return false, err
+	}
+	return info.OS == types.OSDebian || info.OS == types.OSUbuntu, nil
+}
diff --git a/pkg/embed/locales/helper.pot b/pkg/embed/locales/helper.pot
@@ -184,7 +184,7 @@ msgid "Failed to enable"
 msgstr ""
 
 #: internal/system/firewall.go:65
-msgid "Failed to enable firewalld"
+msgid "Failed to enable firewall"
 msgstr ""
 
 #: internal/service/mounter.go:147
diff --git a/pkg/embed/locales/zh_CN/helper.po b/pkg/embed/locales/zh_CN/helper.po
@@ -192,8 +192,8 @@ msgid "Failed to enable"
 msgstr "启用失败"
 
 #: internal/system/firewall.go:65
-msgid "Failed to enable firewalld"
-msgstr "启用 firewalld 失败"
+msgid "Failed to enable firewall"
+msgstr "启用防火墙失败"
 
 #: internal/service/mounter.go:147
 msgid "Failed to get UUID"
diff --git a/pkg/embed/locales/zh_TW/helper.po b/pkg/embed/locales/zh_TW/helper.po
@@ -192,8 +192,8 @@ msgid "Failed to enable"
 msgstr "啟用失敗"
 
 #: internal/system/firewall.go:65
-msgid "Failed to enable firewalld"
-msgstr "啟用 firewalld 失敗"
+msgid "Failed to enable firewall"
+msgstr "啟用防火牆失敗"
 
 #: internal/service/mounter.go:147
 msgid "Failed to get UUID"

Original file line number	Diff line number	Diff line change
`@@ -507,7 +507,7 @@ func (i installer) downloadPanel(ctx context.Context, cfg types.InstallConfig)`
`507`	`507`	`}`
`508`	`508`
`509`	`509`	`func (i installer) configureFirewall(ctx context.Context, cfg types.InstallConfig) error {`
`510`		`- // 安装firewalld`
	`510`	`+ // 安装防火墙`
`511`	`511`	`if err := i.firewall.Install(ctx); err != nil {`
`512`	`512`	`return err`
`513`	`513`	`}`