feat: Add inbound interface restriction option for ufw forward rules (#10345) (#10549)

* 修复https防窜站关闭时修改默认站点报错的问题

* feat: Add inbound interface restriction option for ufw forward rules (#10345)

---------

Co-authored-by: live <[email protected]>

Author: AnxysUaen

agent/app/dto/firewall.go

@@ -37,6 +37,7 @@ type ForwardRuleOperate struct {
 		Operation  string `json:"operation" validate:"required,oneof=add remove"`
 		Num        string `json:"num"`
 		Protocol   string `json:"protocol" validate:"required,oneof=tcp udp tcp/udp"`
+		Interface  string `json:"interface"`
 		Port       string `json:"port" validate:"required"`
 		TargetIP   string `json:"targetIP"`
 		TargetPort string `json:"targetPort" validate:"required"`

agent/app/model/firewall.go

@@ -18,4 +18,5 @@ type Forward struct {
 	Port       string `gorm:"not null" json:"port"`
 	TargetIP   string `gorm:"not null" json:"targetIP"`
 	TargetPort string `gorm:"not null" json:"targetPort"`
+	Interface  string `json:"interface"`
 }

agent/app/service/firewall.go

@@ -329,7 +329,8 @@ func (u *FirewallService) OperateForwardRule(req dto.ForwardRuleOperate) error {
 					if reqRule.Port == rule.Port &&
 						reqRule.TargetPort == rule.TargetPort &&
 						reqRule.TargetIP == rule.TargetIP &&
-						proto == rule.Protocol {
+						proto == rule.Protocol &&
+						reqRule.Interface == rule.Interface {
 						shouldKeep = false
 						break
 					}
@@ -353,7 +354,8 @@ func (u *FirewallService) OperateForwardRule(req dto.ForwardRuleOperate) error {
 				if reqRule.Port == rule.Port &&
 					reqRule.TargetPort == rule.TargetPort &&
 					reqRule.TargetIP == rule.TargetIP &&
-					proto == rule.Protocol {
+					proto == rule.Protocol &&
+					reqRule.Interface == rule.Interface {
 					return buserr.New("ErrRecordExist")
 				}
 			}
@@ -383,6 +385,7 @@ func (u *FirewallService) OperateForwardRule(req dto.ForwardRuleOperate) error {
 				Port:       r.Port,
 				TargetIP:   r.TargetIP,
 				TargetPort: r.TargetPort,
+				Interface:  r.Interface,
 			}, r.Operation); err != nil {
 				if req.ForceDelete {
 					global.LOG.Error(err)

agent/init/migration/migrations/init.go

@@ -26,7 +26,7 @@ import (
 )
 
 var AddTable = &gormigrate.Migration{
-	ID: "20250902-add-table",
+	ID: "20250930-add-table",
 	Migrate: func(tx *gorm.DB) error {
 		return tx.AutoMigrate(
 			&model.AppDetail{},

agent/utils/firewall/client/info.go

@@ -10,6 +10,7 @@ type FireInfo struct {
 	Num        string `json:"num"`
 	TargetIP   string `json:"targetIP"`
 	TargetPort string `json:"targetPort"`
+	Interface  string `json:"interface"`
 
 	UsedStatus  string `json:"usedStatus"`
 	Description string `json:"description"`
@@ -21,12 +22,15 @@ type Forward struct {
 	Port       string `json:"port"`
 	TargetIP   string `json:"targetIP"`
 	TargetPort string `json:"targetPort"`
+	Interface  string `json:"interface"`
 }
 
 type IptablesNatInfo struct {
 	Num         string `json:"num"`
 	Target      string `json:"target"`
 	Protocol    string `json:"protocol"`
+	InIface     string `json:"inIface"`
+	OutIface    string `json:"outIface"`
 	Opt         string `json:"opt"`
 	Source      string `json:"source"`
 	Destination string `json:"destination"`

agent/utils/firewall/client/iptables.go

@@ -25,7 +25,7 @@ const (
 const NatChain = "1PANEL"
 
 var (
-	natListRegex = regexp.MustCompile(`^(\d+)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)(?:\s+(.+?) .+?:(\d{1,5}(?::\d+)?).+?[ :](.+-.+|(?:.+:)?\d{1,5}(?:-\d{1,5})?))?$`)
+	natListRegex = regexp.MustCompile(`^(\d+)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)\s+(.+?)(?:\s+(.+?) .+?:(\d{1,5}(?::\d+)?).+?[ :](.+-.+|(?:.+:)?\d{1,5}(?:-\d{1,5})?))?$`)
 )
 
 type Iptables struct {
@@ -92,7 +92,7 @@ func (iptables *Iptables) NatList(chain ...string) ([]IptablesNatInfo, error) {
 	if len(chain) == 0 {
 		chain = append(chain, PreRoutingChain)
 	}
-	stdout, err := iptables.outf(NatTab, "-nL %s --line", chain[0])
+	stdout, err := iptables.outf(NatTab, "-nvL %s --line-numbers", chain[0])
 	if err != nil {
 		return nil, err
 	}
@@ -104,35 +104,35 @@ func (iptables *Iptables) NatList(chain ...string) ([]IptablesNatInfo, error) {
 		})
 		if natListRegex.MatchString(line) {
 			match := natListRegex.FindStringSubmatch(line)
-			if !strings.Contains(match[9], ":") {
-				match[9] = fmt.Sprintf(":%s", match[9])
+			if !strings.Contains(match[13], ":") {
+				match[13] = fmt.Sprintf(":%s", match[13])
 			}
 			forwardList = append(forwardList, IptablesNatInfo{
 				Num:         match[1],
-				Target:      match[2],
-				Protocol:    match[7],
-				Opt:         match[4],
-				Source:      match[5],
-				Destination: match[6],
-				SrcPort:     match[8],
-				DestPort:    match[9],
+				Target:      match[4],
+				Protocol:    match[11],
+				InIface:     match[7],
+				OutIface:    match[8],
+				Opt:         match[6],
+				Source:      match[9],
+				Destination: match[10],
+				SrcPort:     match[12],
+				DestPort:    match[13],
 			})
 		}
 	}
 
 	return forwardList, nil
 }
 
-func (iptables *Iptables) NatAdd(protocol, srcPort, dest, destPort string, save bool) error {
+func (iptables *Iptables) NatAdd(protocol, srcPort, dest, destPort, iface string, save bool) error {
 	if dest != "" && dest != "127.0.0.1" && dest != "localhost" {
-		if err := iptables.runf(NatTab, fmt.Sprintf(
-			"-A %s -p %s --dport %s -j DNAT --to-destination %s:%s",
-			PreRoutingChain,
-			protocol,
-			srcPort,
-			dest,
-			destPort,
-		)); err != nil {
+		iptablesArg := fmt.Sprintf("-A %s", PreRoutingChain)
+		if iface != "" {
+			iptablesArg += fmt.Sprintf(" -i %s", iface)
+		}
+		iptablesArg += fmt.Sprintf(" -p %s --dport %s -j DNAT --to-destination %s:%s", protocol, srcPort, dest, destPort)
+		if err := iptables.runf(NatTab, iptablesArg); err != nil {
 			return err
 		}
 
@@ -166,13 +166,12 @@ func (iptables *Iptables) NatAdd(protocol, srcPort, dest, destPort string, save
 			return err
 		}
 	} else {
-		if err := iptables.runf(NatTab, fmt.Sprintf(
-			"-A %s -p %s --dport %s -j REDIRECT --to-port %s",
-			PreRoutingChain,
-			protocol,
-			srcPort,
-			destPort,
-		)); err != nil {
+		iptablesArg := fmt.Sprintf("-A %s", PreRoutingChain)
+		if iface != "" {
+			iptablesArg += fmt.Sprintf(" -i %s", iface)
+		}
+		iptablesArg += fmt.Sprintf(" -p %s --dport %s -j REDIRECT --to-port %s", protocol, srcPort, destPort)
+		if err := iptables.runf(NatTab, iptablesArg); err != nil {
 			return err
 		}
 	}
@@ -183,12 +182,13 @@ func (iptables *Iptables) NatAdd(protocol, srcPort, dest, destPort string, save
 			Port:       srcPort,
 			TargetIP:   dest,
 			TargetPort: destPort,
+			Interface:  iface,
 		}).Error
 	}
 	return nil
 }
 
-func (iptables *Iptables) NatRemove(num string, protocol, srcPort, dest, destPort string) error {
+func (iptables *Iptables) NatRemove(num string, protocol, srcPort, dest, destPort, iface string) error {
 	if err := iptables.runf(NatTab, "-D %s %s", PreRoutingChain, num); err != nil {
 		return err
 	}
@@ -226,11 +226,13 @@ func (iptables *Iptables) NatRemove(num string, protocol, srcPort, dest, destPor
 	}
 
 	global.DB.Where(
-		"protocol = ? AND port = ? AND target_ip = ? AND target_port = ?",
+		"protocol = ? AND port = ? AND target_ip = ? AND target_port = ? AND (interface = ? OR (interface IS NULL AND ? = ''))",
 		protocol,
 		srcPort,
 		dest,
 		destPort,
+		iface,
+		iface,
 	).Delete(&model.Forward{})
 	return nil
 }
@@ -249,7 +251,7 @@ func (iptables *Iptables) Reload() error {
 	var rules []model.Forward
 	global.DB.Find(&rules)
 	for _, forward := range rules {
-		if err := iptables.NatAdd(forward.Protocol, forward.Port, forward.TargetIP, forward.TargetPort, false); err != nil {
+		if err := iptables.NatAdd(forward.Protocol, forward.Port, forward.TargetIP, forward.TargetPort, forward.Interface, false); err != nil {
 			return err
 		}
 	}

agent/utils/firewall/client/ufw.go

@@ -124,6 +124,7 @@ func (f *Ufw) ListForward() ([]FireInfo, error) {
 		list = append(list, FireInfo{
 			Num:        rule.Num,
 			Protocol:   rule.Protocol,
+			Interface:  rule.InIface,
 			Port:       rule.SrcPort,
 			TargetIP:   dest[0],
 			TargetPort: dest[1],
@@ -241,9 +242,9 @@ func (f *Ufw) PortForward(info Forward, operation string) error {
 	}
 
 	if operation == "add" {
-		err = iptables.NatAdd(info.Protocol, info.Port, info.TargetIP, info.TargetPort, true)
+		err = iptables.NatAdd(info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface, true)
 	} else {
-		err = iptables.NatRemove(info.Num, info.Protocol, info.Port, info.TargetIP, info.TargetPort)
+		err = iptables.NatRemove(info.Num, info.Protocol, info.Port, info.TargetIP, info.TargetPort, info.Interface)
 	}
 	if err != nil {
 		return fmt.Errorf("%s port forward failed, err: %s", operation, err)

frontend/src/api/interface/dashboard.ts

@@ -15,7 +15,7 @@ export namespace Dashboard {
         title: string;
         detail: string;
         recommend: number;
-        isShow: boolean ;
+        isShow: boolean;
         router: string;
     }
     export interface AppLauncher {

frontend/src/api/interface/host.ts

@@ -112,6 +112,7 @@ export namespace Host {
         port: string;
         targetIP: string;
         targetPort: string;
+        interface: string;
     }
     export interface RuleIP {
         operation: string;

frontend/src/api/interface/setting.ts

@@ -246,7 +246,7 @@ export namespace Setting {
         id: number;
         name: string;
         addr: string;
-        description:  string;
+        description: string;
         systemVersion: string;
         securityEntrance: string;
         cpuUsedPercent: number;