acl支持逗号分隔多端口号配置

2025-08-07 21:28:50 +08:00 · 2024-04-08 14:54:09 +08:00
parent 380a8cb3fb
commit 8df34428dd
3 changed files with 89 additions and 62 deletions
--- a/server/dbdata/group.go
+++ b/server/dbdata/group.go
@@ -6,6 +6,7 @@ import (
 	"net"
 	"regexp"
 	"strings"
+	"strconv"
 	"time"

 	"github.com/bjdgyc/anylink/base"
@@ -24,11 +25,12 @@ const DsMaxLen = 20000

 type GroupLinkAcl struct {
 	// 自上而下匹配 默认 allow * *
-	Action string     `json:"action"` // allow、deny
-	Val    string     `json:"val"`
-	Port   uint16     `json:"port"`
-	IpNet  *net.IPNet `json:"ip_net"`
-	Note   string     `json:"note"`
+	Action 		string     `json:"action"` // allow、deny
+	Val    		string     `json:"val"`
+	PortStr    	string     `json:"port_str"`
+	Ports   	[]uint16   `json:"ports"`
+	IpNet  		*net.IPNet `json:"ip_net"`
+	Note   		string     `json:"note"`
 }

 type ValData struct {
@@ -161,9 +163,25 @@ func SetGroup(g *Group) error {
 				return errors.New("GroupLinkAcl 错误" + err.Error())
 			}
 			v.IpNet = ipNet
-			linkAcl = append(linkAcl, v)
+			if regexp.MustCompile(`^\d{1,5}(,\d{1,5})*$`).MatchString(v.PortStr) {
+				for _, port := range strings.Split(v.PortStr, ",") {
+					if port == "" {
+						continue
+					}
+					portInt, err := strconv.Atoi(port)
+					if err != nil {
+						return errors.New("端口:"+port+" 格式错误, " + err.Error())
+					}
+					v.Ports = append(v.Ports, uint16(portInt))
+				}
+				linkAcl = append(linkAcl, v)
+			} else {
+				return errors.New("端口: "+v.PortStr+" 格式错误,请用逗号分隔的端口列表,比如: 22,80,443")
+			}
+
 		}
 	}
+
 	g.LinkAcl = linkAcl

 	// DNS 判断
@@ -238,6 +256,15 @@ func SetGroup(g *Group) error {
 	return err
 }

+func ContainsInPorts(ports []uint16, port uint16) bool {
+	for _, p := range ports {
+		if p == port {
+			return true
+		}
+	}
+	return false
+}
+
 func GroupAuthLogin(name, pwd string, authData map[string]interface{}) error {
 	g := &Group{Auth: authData}
 	authType := g.Auth["type"].(string)
--- a/server/handler/payload.go
+++ b/server/handler/payload.go
@@ -89,7 +89,7 @@ func checkLinkAcl(group *dbdata.Group, pl *sessdata.Payload) bool {
 		// 循环判断ip和端口
 		if v.IpNet.Contains(ipDst) {
 			// 放行允许ip的ping
-			if v.Port == ipPort || v.Port == 0 || ipProto == waterutil.ICMP {
+			if dbdata.ContainsInPorts( v.Ports , ipPort) || v.Ports[0] == 0 || ipProto == waterutil.ICMP {
 				if v.Action == dbdata.Allow {
 					return true
 				} else {