diff --git a/internal/web/actions/default/servers/components/waf/ipadmin/index.go b/internal/web/actions/default/servers/components/waf/ipadmin/index.go
index c82e3d10..d525da66 100644
--- a/internal/web/actions/default/servers/components/waf/ipadmin/index.go
+++ b/internal/web/actions/default/servers/components/waf/ipadmin/index.go
@@ -7,6 +7,7 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/lists"
 	"github.com/iwind/TeaGo/maps"
@@ -36,9 +37,12 @@ func (this *IndexAction) RunGet(params struct {
 		this.NotFound("firewallPolicy", params.FirewallPolicyId)
 		return
 	}
-	var selectedCountryIds = []int64{}
+
+	var deniedCountryIds = []int64{}
+	var allowedCountryIds = []int64{}
 	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
-		selectedCountryIds = policyConfig.Inbound.Region.DenyCountryIds
+		deniedCountryIds = policyConfig.Inbound.Region.DenyCountryIds
+		allowedCountryIds = policyConfig.Inbound.Region.AllowCountryIds
 	}
 
 	countriesResp, err := this.RPC().RegionCountryRPC().FindAllRegionCountries(this.AdminContext(), &pb.FindAllRegionCountriesRequest{})
@@ -46,23 +50,46 @@ func (this *IndexAction) RunGet(params struct {
 		this.ErrorPage(err)
 		return
 	}
-	var countryMaps = []maps.Map{}
+	var deniesCountryMaps = []maps.Map{}
+	var allowedCountryMaps = []maps.Map{}
 	for _, country := range countriesResp.RegionCountries {
-		countryMaps = append(countryMaps, maps.Map{
-			"id":        country.Id,
-			"name":      country.DisplayName,
-			"letter":    strings.ToUpper(string(country.Pinyin[0][0])),
-			"isChecked": lists.ContainsInt64(selectedCountryIds, country.Id),
-		})
+		var countryMap = maps.Map{
+			"id":     country.Id,
+			"name":   country.DisplayName,
+			"letter": strings.ToUpper(string(country.Pinyin[0][0])),
+		}
+		if lists.ContainsInt64(deniedCountryIds, country.Id) {
+			deniesCountryMaps = append(deniesCountryMaps, countryMap)
+		}
+		if lists.ContainsInt64(allowedCountryIds, country.Id) {
+			allowedCountryMaps = append(allowedCountryMaps, countryMap)
+		}
+	}
+	this.Data["deniedCountries"] = deniesCountryMaps
+	this.Data["allowedCountries"] = allowedCountryMaps
+
+	// except & only URL Patterns
+	this.Data["exceptURLPatterns"] = []*shared.URLPattern{}
+	this.Data["onlyURLPatterns"] = []*shared.URLPattern{}
+	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
+		if len(policyConfig.Inbound.Region.CountryExceptURLPatterns) > 0 {
+			this.Data["exceptURLPatterns"] = policyConfig.Inbound.Region.CountryExceptURLPatterns
+		}
+		if len(policyConfig.Inbound.Region.CountryOnlyURLPatterns) > 0 {
+			this.Data["onlyURLPatterns"] = policyConfig.Inbound.Region.CountryOnlyURLPatterns
+		}
 	}
-	this.Data["countries"] = countryMaps
 
 	this.Show()
 }
 
 func (this *IndexAction) RunPost(params struct {
 	FirewallPolicyId int64
-	CountryIds       []int64
+	DenyCountryIds   []int64
+	AllowCountryIds  []int64
+
+	ExceptURLPatternsJSON []byte
+	OnlyURLPatternsJSON   []byte
 
 	Must *actions.Must
 }) {
@@ -87,7 +114,30 @@ func (this *IndexAction) RunPost(params struct {
 			IsOn: true,
 		}
 	}
-	policyConfig.Inbound.Region.DenyCountryIds = params.CountryIds
+	policyConfig.Inbound.Region.DenyCountryIds = params.DenyCountryIds
+	policyConfig.Inbound.Region.AllowCountryIds = params.AllowCountryIds
+
+	// 例外URL
+	var exceptURLPatterns = []*shared.URLPattern{}
+	if len(params.ExceptURLPatternsJSON) > 0 {
+		err = json.Unmarshal(params.ExceptURLPatternsJSON, &exceptURLPatterns)
+		if err != nil {
+			this.Fail("校验例外URL参数失败：" + err.Error())
+			return
+		}
+	}
+	policyConfig.Inbound.Region.CountryExceptURLPatterns = exceptURLPatterns
+
+	// 限制URL
+	var onlyURLPatterns = []*shared.URLPattern{}
+	if len(params.OnlyURLPatternsJSON) > 0 {
+		err = json.Unmarshal(params.OnlyURLPatternsJSON, &onlyURLPatterns)
+		if err != nil {
+			this.Fail("校验限制URL参数失败：" + err.Error())
+			return
+		}
+	}
+	policyConfig.Inbound.Region.CountryOnlyURLPatterns = onlyURLPatterns
 
 	inboundJSON, err := json.Marshal(policyConfig.Inbound)
 	if err != nil {
diff --git a/internal/web/actions/default/servers/components/waf/ipadmin/provinces.go b/internal/web/actions/default/servers/components/waf/ipadmin/provinces.go
index 6f991028..16454110 100644
--- a/internal/web/actions/default/servers/components/waf/ipadmin/provinces.go
+++ b/internal/web/actions/default/servers/components/waf/ipadmin/provinces.go
@@ -8,6 +8,7 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/regionconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/lists"
 	"github.com/iwind/TeaGo/maps"
@@ -36,9 +37,12 @@ func (this *ProvincesAction) RunGet(params struct {
 		this.NotFound("firewallPolicy", params.FirewallPolicyId)
 		return
 	}
-	var selectedProvinceIds = []int64{}
+
+	var deniedProvinceIds = []int64{}
+	var allowedProvinceIds = []int64{}
 	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
-		selectedProvinceIds = policyConfig.Inbound.Region.DenyProvinceIds
+		deniedProvinceIds = policyConfig.Inbound.Region.DenyProvinceIds
+		allowedProvinceIds = policyConfig.Inbound.Region.AllowProvinceIds
 	}
 
 	provincesResp, err := this.RPC().RegionProvinceRPC().FindAllRegionProvincesWithRegionCountryId(this.AdminContext(), &pb.FindAllRegionProvincesWithRegionCountryIdRequest{
@@ -48,22 +52,45 @@ func (this *ProvincesAction) RunGet(params struct {
 		this.ErrorPage(err)
 		return
 	}
-	var provinceMaps = []maps.Map{}
+	var deniedProvinceMaps = []maps.Map{}
+	var allowedProvinceMaps = []maps.Map{}
 	for _, province := range provincesResp.RegionProvinces {
-		provinceMaps = append(provinceMaps, maps.Map{
-			"id":        province.Id,
-			"name":      province.DisplayName,
-			"isChecked": lists.ContainsInt64(selectedProvinceIds, province.Id),
-		})
+		var provinceMap = maps.Map{
+			"id":   province.Id,
+			"name": province.DisplayName,
+		}
+		if lists.ContainsInt64(deniedProvinceIds, province.Id) {
+			deniedProvinceMaps = append(deniedProvinceMaps, provinceMap)
+		}
+		if lists.ContainsInt64(allowedProvinceIds, province.Id) {
+			allowedProvinceMaps = append(allowedProvinceMaps, provinceMap)
+		}
+	}
+	this.Data["deniedProvinces"] = deniedProvinceMaps
+	this.Data["allowedProvinces"] = allowedProvinceMaps
+
+	// except & only URL Patterns
+	this.Data["exceptURLPatterns"] = []*shared.URLPattern{}
+	this.Data["onlyURLPatterns"] = []*shared.URLPattern{}
+	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
+		if len(policyConfig.Inbound.Region.ProvinceExceptURLPatterns) > 0 {
+			this.Data["exceptURLPatterns"] = policyConfig.Inbound.Region.ProvinceExceptURLPatterns
+		}
+		if len(policyConfig.Inbound.Region.ProvinceOnlyURLPatterns) > 0 {
+			this.Data["onlyURLPatterns"] = policyConfig.Inbound.Region.ProvinceOnlyURLPatterns
+		}
 	}
-	this.Data["provinces"] = provinceMaps
 
 	this.Show()
 }
 
 func (this *ProvincesAction) RunPost(params struct {
 	FirewallPolicyId int64
-	ProvinceIds      []int64
+	DenyProvinceIds  []int64
+	AllowProvinceIds []int64
+
+	ExceptURLPatternsJSON []byte
+	OnlyURLPatternsJSON   []byte
 
 	Must *actions.Must
 }) {
@@ -88,7 +115,30 @@ func (this *ProvincesAction) RunPost(params struct {
 			IsOn: true,
 		}
 	}
-	policyConfig.Inbound.Region.DenyProvinceIds = params.ProvinceIds
+	policyConfig.Inbound.Region.DenyProvinceIds = params.DenyProvinceIds
+	policyConfig.Inbound.Region.AllowProvinceIds = params.AllowProvinceIds
+
+	// 例外URL
+	var exceptURLPatterns = []*shared.URLPattern{}
+	if len(params.ExceptURLPatternsJSON) > 0 {
+		err = json.Unmarshal(params.ExceptURLPatternsJSON, &exceptURLPatterns)
+		if err != nil {
+			this.Fail("校验例外URL参数失败：" + err.Error())
+			return
+		}
+	}
+	policyConfig.Inbound.Region.ProvinceExceptURLPatterns = exceptURLPatterns
+
+	// 限制URL
+	var onlyURLPatterns = []*shared.URLPattern{}
+	if len(params.OnlyURLPatternsJSON) > 0 {
+		err = json.Unmarshal(params.OnlyURLPatternsJSON, &onlyURLPatterns)
+		if err != nil {
+			this.Fail("校验限制URL参数失败：" + err.Error())
+			return
+		}
+	}
+	policyConfig.Inbound.Region.ProvinceOnlyURLPatterns = onlyURLPatterns
 
 	inboundJSON, err := json.Marshal(policyConfig.Inbound)
 	if err != nil {
diff --git a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/countries.go b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/countries.go
index c651dd05..445bc034 100644
--- a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/countries.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/countries.go
@@ -7,6 +7,7 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/lists"
 	"github.com/iwind/TeaGo/maps"
@@ -41,9 +42,12 @@ func (this *CountriesAction) RunGet(params struct {
 		this.NotFound("firewallPolicy", params.FirewallPolicyId)
 		return
 	}
-	selectedCountryIds := []int64{}
+
+	var deniedCountryIds = []int64{}
+	var allowedCountryIds = []int64{}
 	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
-		selectedCountryIds = policyConfig.Inbound.Region.DenyCountryIds
+		deniedCountryIds = policyConfig.Inbound.Region.DenyCountryIds
+		allowedCountryIds = policyConfig.Inbound.Region.AllowCountryIds
 	}
 
 	countriesResp, err := this.RPC().RegionCountryRPC().FindAllRegionCountries(this.AdminContext(), &pb.FindAllRegionCountriesRequest{})
@@ -51,16 +55,35 @@ func (this *CountriesAction) RunGet(params struct {
 		this.ErrorPage(err)
 		return
 	}
-	countryMaps := []maps.Map{}
+	var deniesCountryMaps = []maps.Map{}
+	var allowedCountryMaps = []maps.Map{}
 	for _, country := range countriesResp.RegionCountries {
-		countryMaps = append(countryMaps, maps.Map{
-			"id":        country.Id,
-			"name":      country.DisplayName,
-			"letter":    strings.ToUpper(string(country.Pinyin[0][0])),
-			"isChecked": lists.ContainsInt64(selectedCountryIds, country.Id),
-		})
+		var countryMap = maps.Map{
+			"id":     country.Id,
+			"name":   country.DisplayName,
+			"letter": strings.ToUpper(string(country.Pinyin[0][0])),
+		}
+		if lists.ContainsInt64(deniedCountryIds, country.Id) {
+			deniesCountryMaps = append(deniesCountryMaps, countryMap)
+		}
+		if lists.ContainsInt64(allowedCountryIds, country.Id) {
+			allowedCountryMaps = append(allowedCountryMaps, countryMap)
+		}
+	}
+	this.Data["deniedCountries"] = deniesCountryMaps
+	this.Data["allowedCountries"] = allowedCountryMaps
+
+	// except & only URL Patterns
+	this.Data["exceptURLPatterns"] = []*shared.URLPattern{}
+	this.Data["onlyURLPatterns"] = []*shared.URLPattern{}
+	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
+		if len(policyConfig.Inbound.Region.CountryExceptURLPatterns) > 0 {
+			this.Data["exceptURLPatterns"] = policyConfig.Inbound.Region.CountryExceptURLPatterns
+		}
+		if len(policyConfig.Inbound.Region.CountryOnlyURLPatterns) > 0 {
+			this.Data["onlyURLPatterns"] = policyConfig.Inbound.Region.CountryOnlyURLPatterns
+		}
 	}
-	this.Data["countries"] = countryMaps
 
 	// WAF是否启用
 	webConfig, err := dao.SharedHTTPWebDAO.FindWebConfigWithServerId(this.AdminContext(), params.ServerId)
@@ -75,7 +98,11 @@ func (this *CountriesAction) RunGet(params struct {
 
 func (this *CountriesAction) RunPost(params struct {
 	FirewallPolicyId int64
-	CountryIds       []int64
+	DenyCountryIds   []int64
+	AllowCountryIds  []int64
+
+	ExceptURLPatternsJSON []byte
+	OnlyURLPatternsJSON   []byte
 
 	Must *actions.Must
 }) {
@@ -100,7 +127,30 @@ func (this *CountriesAction) RunPost(params struct {
 			IsOn: true,
 		}
 	}
-	policyConfig.Inbound.Region.DenyCountryIds = params.CountryIds
+	policyConfig.Inbound.Region.DenyCountryIds = params.DenyCountryIds
+	policyConfig.Inbound.Region.AllowCountryIds = params.AllowCountryIds
+
+	// 例外URL
+	var exceptURLPatterns = []*shared.URLPattern{}
+	if len(params.ExceptURLPatternsJSON) > 0 {
+		err = json.Unmarshal(params.ExceptURLPatternsJSON, &exceptURLPatterns)
+		if err != nil {
+			this.Fail("校验例外URL参数失败：" + err.Error())
+			return
+		}
+	}
+	policyConfig.Inbound.Region.CountryExceptURLPatterns = exceptURLPatterns
+
+	// 限制URL
+	var onlyURLPatterns = []*shared.URLPattern{}
+	if len(params.OnlyURLPatternsJSON) > 0 {
+		err = json.Unmarshal(params.OnlyURLPatternsJSON, &onlyURLPatterns)
+		if err != nil {
+			this.Fail("校验限制URL参数失败：" + err.Error())
+			return
+		}
+	}
+	policyConfig.Inbound.Region.CountryOnlyURLPatterns = onlyURLPatterns
 
 	inboundJSON, err := json.Marshal(policyConfig.Inbound)
 	if err != nil {
diff --git a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/provinces.go b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/provinces.go
index 26ff3ba5..29138b21 100644
--- a/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/provinces.go
+++ b/internal/web/actions/default/servers/groups/group/settings/waf/ipadmin/provinces.go
@@ -7,6 +7,8 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/regionconfigs"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/shared"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/lists"
 	"github.com/iwind/TeaGo/maps"
@@ -39,27 +41,49 @@ func (this *ProvincesAction) RunGet(params struct {
 		this.NotFound("firewallPolicy", params.FirewallPolicyId)
 		return
 	}
-	selectedProvinceIds := []int64{}
+
+	var deniedProvinceIds = []int64{}
+	var allowedProvinceIds = []int64{}
 	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
-		selectedProvinceIds = policyConfig.Inbound.Region.DenyProvinceIds
+		deniedProvinceIds = policyConfig.Inbound.Region.DenyProvinceIds
+		allowedProvinceIds = policyConfig.Inbound.Region.AllowProvinceIds
 	}
 
 	provincesResp, err := this.RPC().RegionProvinceRPC().FindAllRegionProvincesWithRegionCountryId(this.AdminContext(), &pb.FindAllRegionProvincesWithRegionCountryIdRequest{
-		RegionCountryId: int64(ChinaCountryId),
+		RegionCountryId: regionconfigs.RegionChinaId,
 	})
 	if err != nil {
 		this.ErrorPage(err)
 		return
 	}
-	provinceMaps := []maps.Map{}
+	var deniedProvinceMaps = []maps.Map{}
+	var allowedProvinceMaps = []maps.Map{}
 	for _, province := range provincesResp.RegionProvinces {
-		provinceMaps = append(provinceMaps, maps.Map{
-			"id":        province.Id,
-			"name":      province.DisplayName,
-			"isChecked": lists.ContainsInt64(selectedProvinceIds, province.Id),
-		})
+		var provinceMap = maps.Map{
+			"id":   province.Id,
+			"name": province.DisplayName,
+		}
+		if lists.ContainsInt64(deniedProvinceIds, province.Id) {
+			deniedProvinceMaps = append(deniedProvinceMaps, provinceMap)
+		}
+		if lists.ContainsInt64(allowedProvinceIds, province.Id) {
+			allowedProvinceMaps = append(allowedProvinceMaps, provinceMap)
+		}
+	}
+	this.Data["deniedProvinces"] = deniedProvinceMaps
+	this.Data["allowedProvinces"] = allowedProvinceMaps
+
+	// except & only URL Patterns
+	this.Data["exceptURLPatterns"] = []*shared.URLPattern{}
+	this.Data["onlyURLPatterns"] = []*shared.URLPattern{}
+	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
+		if len(policyConfig.Inbound.Region.ProvinceExceptURLPatterns) > 0 {
+			this.Data["exceptURLPatterns"] = policyConfig.Inbound.Region.ProvinceExceptURLPatterns
+		}
+		if len(policyConfig.Inbound.Region.ProvinceOnlyURLPatterns) > 0 {
+			this.Data["onlyURLPatterns"] = policyConfig.Inbound.Region.ProvinceOnlyURLPatterns
+		}
 	}
-	this.Data["provinces"] = provinceMaps
 
 	// WAF是否启用
 	webConfig, err := dao.SharedHTTPWebDAO.FindWebConfigWithServerId(this.AdminContext(), params.ServerId)
@@ -74,7 +98,11 @@ func (this *ProvincesAction) RunGet(params struct {
 
 func (this *ProvincesAction) RunPost(params struct {
 	FirewallPolicyId int64
-	ProvinceIds      []int64
+	DenyProvinceIds  []int64
+	AllowProvinceIds []int64
+
+	ExceptURLPatternsJSON []byte
+	OnlyURLPatternsJSON   []byte
 
 	Must *actions.Must
 }) {
@@ -99,7 +127,30 @@ func (this *ProvincesAction) RunPost(params struct {
 			IsOn: true,
 		}
 	}
-	policyConfig.Inbound.Region.DenyProvinceIds = params.ProvinceIds
+	policyConfig.Inbound.Region.DenyProvinceIds = params.DenyProvinceIds
+	policyConfig.Inbound.Region.AllowProvinceIds = params.AllowProvinceIds
+
+	// 例外URL
+	var exceptURLPatterns = []*shared.URLPattern{}
+	if len(params.ExceptURLPatternsJSON) > 0 {
+		err = json.Unmarshal(params.ExceptURLPatternsJSON, &exceptURLPatterns)
+		if err != nil {
+			this.Fail("校验例外URL参数失败：" + err.Error())
+			return
+		}
+	}
+	policyConfig.Inbound.Region.ProvinceExceptURLPatterns = exceptURLPatterns
+
+	// 限制URL
+	var onlyURLPatterns = []*shared.URLPattern{}
+	if len(params.OnlyURLPatternsJSON) > 0 {
+		err = json.Unmarshal(params.OnlyURLPatternsJSON, &onlyURLPatterns)
+		if err != nil {
+			this.Fail("校验限制URL参数失败：" + err.Error())
+			return
+		}
+	}
+	policyConfig.Inbound.Region.ProvinceOnlyURLPatterns = onlyURLPatterns
 
 	inboundJSON, err := json.Marshal(policyConfig.Inbound)
 	if err != nil {
diff --git a/internal/web/actions/default/servers/server/settings/waf/ipadmin/provinces.go b/internal/web/actions/default/servers/server/settings/waf/ipadmin/provinces.go
index d2f2f2a3..00e505e4 100644
--- a/internal/web/actions/default/servers/server/settings/waf/ipadmin/provinces.go
+++ b/internal/web/actions/default/servers/server/settings/waf/ipadmin/provinces.go
@@ -41,6 +41,7 @@ func (this *ProvincesAction) RunGet(params struct {
 		this.NotFound("firewallPolicy", params.FirewallPolicyId)
 		return
 	}
+
 	var deniedProvinceIds = []int64{}
 	var allowedProvinceIds = []int64{}
 	if policyConfig.Inbound != nil && policyConfig.Inbound.Region != nil {
diff --git a/internal/web/actions/default/ui/countryOptions.go b/internal/web/actions/default/ui/countryOptions.go
index 1346769c..00c385f2 100644
--- a/internal/web/actions/default/ui/countryOptions.go
+++ b/internal/web/actions/default/ui/countryOptions.go
@@ -5,6 +5,8 @@ package ui
 import (
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/regionconfigs"
+	"github.com/iwind/TeaGo/lists"
 	"github.com/iwind/TeaGo/maps"
 	"strings"
 )
@@ -21,6 +23,10 @@ func (this *CountryOptionsAction) RunPost(params struct{}) {
 	}
 	var countryMaps = []maps.Map{}
 	for _, country := range countriesResp.RegionCountries {
+		if lists.ContainsInt64(regionconfigs.FindAllGreaterChinaSubRegionIds(), country.Id) {
+			continue
+		}
+
 		if country.Codes == nil {
 			country.Codes = []string{}
 		}
diff --git a/web/views/@default/servers/components/waf/ipadmin/index.html b/web/views/@default/servers/components/waf/ipadmin/index.html
index 232040fd..633bda52 100644
--- a/web/views/@default/servers/components/waf/ipadmin/index.html
+++ b/web/views/@default/servers/components/waf/ipadmin/index.html
@@ -1,51 +1,39 @@
 {$layout}
 
-	{$template "../waf_menu"}
-	{$template "menu"}
+{$template "../waf_menu"}
+{$template "menu"}
 
-	<form method="post" class="ui form" data-tea-action="$" data-tea-success="success">
-		<input type="hidden" name="firewallPolicyId" :value="firewallPolicyId"/>
-		<table class="ui table selectable definition">
-			<tr>
-				<td class="title">已封禁</td>
-				<td>
-					<span v-if="countSelectedCountries == 0" class="disabled">暂时没有选择封禁区域。</span>
-					<div class="ui label tiny basic" v-for="country in countries" v-if="country.isChecked" style="margin-bottom: 0.5em">
-						<input type="hidden" name="countryIds" :value="country.id"/>
-						({{country.letter}}){{country.name}} <a href="" @click.prevent="deselectCountry(country)" title="取消封禁"><i class="icon remove"></i></a>
-					</div>
-				</td>
-			</tr>
-			<tr>
-				<td>选择封禁区域</td>
-				<td>
-					<more-options-indicator>选择区域</more-options-indicator>
-
-					<div class="ui menu tabular tiny region-letter-group" v-show="moreOptionsVisible">
-						<a href="" v-for="group in letterGroups" class="item" :class="{active: group == selectedGroup}" @click.prevent="selectGroup(group)">{{group}}</a>
-						<div class="item right">
-							<div class="ui checkbox" @click.prevent="checkAll">
-								<input type="checkbox" v-model="isCheckingAll"/>
-								<label>全选</label>
-							</div>
-						</div>
-					</div>
-					<div v-for="group in letterGroups"  v-show="moreOptionsVisible">
-						<div v-for="letter in group" v-if="letterCountries[letter] != null && group == selectedGroup" class="country-group">
-							<h4>{{letter}}</h4>
-							<div class="country-list">
-								<div class="item" v-for="country in letterCountries[letter]">
-									<div class="ui checkbox" @click.prevent="selectCountry(country)">
-										<input type="checkbox" v-model="country.isChecked"/>
-										<label>{{country.name}}</label>
-									</div>
-								</div>
-							</div>
-							<div class="clear"></div>
-						</div>
-					</div>
-				</td>
-			</tr>
-		</table>
-		<submit-btn></submit-btn>
-	</form>
\ No newline at end of file
+<form method="post" class="ui form" data-tea-action="$" data-tea-success="success">
+    <input type="hidden" name="firewallPolicyId" :value="firewallPolicyId"/>
+    <input type="hidden" name="exceptURLPatternsJSON" :value="JSON.stringify(exceptURLPatterns)"/>
+    <input type="hidden" name="onlyURLPatternsJSON" :value="JSON.stringify(onlyURLPatterns)"/>
+    <table class="ui table selectable definition">
+        <tr>
+            <td class="title">仅允许的区域</td>
+            <td>
+                <http-firewall-region-selector :v-countries="allowedCountries" :v-type="'allow'" @change="changeAllowedCountries"></http-firewall-region-selector>
+            </td>
+        </tr>
+        <tr>
+            <td class="title">仅封禁的区域</td>
+            <td>
+                <p class="comment" v-if="allowedCountries.length > 0">由于你已设置"仅允许的区域"，所以不需要再设置封禁区域。</p>
+                <http-firewall-region-selector :v-countries="deniedCountries" :v-type="'deny'" v-show="allowedCountries.length == 0"></http-firewall-region-selector>
+            </td>
+        </tr>
+        <tr>
+            <td colspan="2"><more-options-indicator></more-options-indicator></td>
+        </tr>
+        <tbody v-show="moreOptionsVisible">
+            <tr>
+                <td>例外URL &nbsp;<tip-icon content="对这些URL将不做任何限制。"></tip-icon></td>
+                <td><url-patterns-box v-model="exceptURLPatterns"></url-patterns-box></td>
+            </tr>
+            <tr>
+                <td>限制URL &nbsp;<tip-icon content="只对这些URL做限制。"></tip-icon></td>
+                <td><url-patterns-box v-model="onlyURLPatterns"></url-patterns-box></td>
+            </tr>
+        </tbody>
+    </table>
+    <submit-btn></submit-btn>
+</form>
\ No newline at end of file
diff --git a/web/views/@default/servers/components/waf/ipadmin/index.js b/web/views/@default/servers/components/waf/ipadmin/index.js
index b0ed60d1..8f1ffa7b 100644
--- a/web/views/@default/servers/components/waf/ipadmin/index.js
+++ b/web/views/@default/servers/components/waf/ipadmin/index.js
@@ -1,54 +1,11 @@
 Tea.context(function () {
-	this.letterGroups = [
-		"ABC", "DEF", "GHI", "JKL", "MNO", "PQR", "STU", "VWX", "YZ"
-	];
-	this.selectedGroup = "ABC"
-	this.letterCountries = {}
-	let that = this
-	this.countSelectedCountries = this.countries.$count(function (k, country) {
-		return country.isChecked
-	})
-	this.countries.forEach(function (country) {
-		if (typeof (that.letterCountries[country.letter]) == "undefined") {
-			that.letterCountries[country.letter] = []
-		}
-		that.letterCountries[country.letter].push(country)
-	})
-	this.isCheckingAll = false
-
-	this.selectGroup = function (group) {
-		this.selectedGroup = group
-	}
-
-	this.selectCountry = function (country) {
-		country.isChecked = !country.isChecked
-		this.change()
-	}
-
-	this.deselectCountry = function (country) {
-		country.isChecked = false
-		this.change()
-	}
-
-	this.checkAll = function () {
-		this.isCheckingAll = !this.isCheckingAll
-
-		this.countries.forEach(function (country) {
-			country.isChecked = that.isCheckingAll
-		})
-
-		this.change()
-	}
-
 	this.success = function () {
 		teaweb.success("保存成功", function () {
 			teaweb.reload()
 		})
 	}
 
-	this.change = function () {
-		this.countSelectedCountries = this.countries.$count(function (k, country) {
-			return country.isChecked
-		})
+	this.changeAllowedCountries = function (event) {
+		this.allowedCountries = event.countries
 	}
 })
\ No newline at end of file
diff --git a/web/views/@default/servers/components/waf/ipadmin/provinces.html b/web/views/@default/servers/components/waf/ipadmin/provinces.html
index 542d52da..537236fd 100644
--- a/web/views/@default/servers/components/waf/ipadmin/provinces.html
+++ b/web/views/@default/servers/components/waf/ipadmin/provinces.html
@@ -5,42 +5,35 @@
 
 	<form method="post" class="ui form" data-tea-action="$" data-tea-success="success">
 		<input type="hidden" name="firewallPolicyId" :value="firewallPolicyId"/>
+        <input type="hidden" name="exceptURLPatternsJSON" :value="JSON.stringify(exceptURLPatterns)"/>
+        <input type="hidden" name="onlyURLPatternsJSON" :value="JSON.stringify(onlyURLPatterns)"/>
 		<table class="ui table selectable definition">
-			<tr>
-				<td class="title">已封禁</td>
-				<td>
-					<span v-if="countSelectedProvinces == 0" class="disabled">暂时没有选择封禁省份。</span>
-					<div class="ui label tiny basic" v-for="province in provinces" v-if="province.isChecked" style="margin-bottom: 0.5em">
-						<input type="hidden" name="provinceIds" :value="province.id"/>
-						{{province.name}} <a href="" @click.prevent="deselectProvince(province)" title="取消封禁"><i class="icon remove"></i></a>
-					</div>
-				</td>
-			</tr>
-			<tr>
-				<td>选择封禁区域</td>
-				<td>
-
-					<first-menu>
-						<menu-item><more-options-indicator>选择省份/自治区</more-options-indicator></menu-item>
-						<div class="item right" v-show="moreOptionsVisible">
-							<div class="ui checkbox" @click.prevent="checkAll">
-								<input type="checkbox" v-model="isCheckingAll"/>
-								<label>全选</label>
-							</div>
-						</div>
-					</first-menu>
-
-					<div class="province-list" v-show="moreOptionsVisible" style="margin-top:0.5em">
-						<div class="item" v-for="province in provinces">
-							<div class="ui checkbox" @click.prevent="selectProvince(province)">
-								<input type="checkbox" v-model="province.isChecked"/>
-								<label>{{province.name}}</label>
-							</div>
-						</div>
-					</div>
-					<div class="clear"></div>
-				</td>
-			</tr>
+            <tr>
+                <td class="title">仅允许的省份</td>
+                <td>
+                    <http-firewall-province-selector :v-provinces="allowedProvinces" :v-type="'allow'" @change="changeAllowedProvinces"></http-firewall-province-selector>
+                </td>
+            </tr>
+            <tr>
+                <td class="title">仅封禁的省份</td>
+                <td>
+                    <p class="comment" v-if="allowedProvinces.length > 0">由于你已设置"仅允许的省份"，所以不需要再设置封禁省份。</p>
+                    <http-firewall-province-selector :v-provinces="deniedProvinces" :v-type="'deny'" v-show="allowedProvinces.length == 0"></http-firewall-province-selector>
+                </td>
+            </tr>
+            <tr>
+                <td colspan="2"><more-options-indicator></more-options-indicator></td>
+            </tr>
+            <tbody v-show="moreOptionsVisible">
+                <tr>
+                    <td>例外URL &nbsp;<tip-icon content="对这些URL将不做任何限制。"></tip-icon></td>
+                    <td><url-patterns-box v-model="exceptURLPatterns"></url-patterns-box></td>
+                </tr>
+                <tr>
+                    <td>限制URL &nbsp;<tip-icon content="只对这些URL做限制。"></tip-icon></td>
+                    <td><url-patterns-box v-model="onlyURLPatterns"></url-patterns-box></td>
+                </tr>
+            </tbody>
 		</table>
 		<submit-btn></submit-btn>
 	</form>
\ No newline at end of file
diff --git a/web/views/@default/servers/components/waf/ipadmin/provinces.js b/web/views/@default/servers/components/waf/ipadmin/provinces.js
index f2e83994..b1723379 100644
--- a/web/views/@default/servers/components/waf/ipadmin/provinces.js
+++ b/web/views/@default/servers/components/waf/ipadmin/provinces.js
@@ -1,30 +1,4 @@
 Tea.context(function () {
-	this.isCheckingAll = false
-
-	this.countSelectedProvinces = this.provinces.$count(function (k, province) {
-		return province.isChecked
-	})
-
-	this.selectProvince = function (province) {
-		province.isChecked = !province.isChecked
-		this.change()
-	}
-
-	this.deselectProvince = function (province) {
-		province.isChecked = false
-		this.change()
-	}
-
-	this.checkAll = function () {
-		this.isCheckingAll = !this.isCheckingAll
-		let that = this
-		this.provinces.forEach(function (province) {
-			province.isChecked = that.isCheckingAll
-		})
-
-		this.change()
-	}
-
 	this.success = function () {
 		teaweb.success("保存成功", function () {
 			teaweb.reload()
@@ -32,9 +6,7 @@ Tea.context(function () {
 	}
 
 
-	this.change = function () {
-		this.countSelectedProvinces = this.provinces.$count(function (k, province) {
-			return province.isChecked
-		})
+	this.changeAllowedProvinces = function (event) {
+		this.allowedProvinces = event.provinces
 	}
 })
\ No newline at end of file
diff --git a/web/views/@default/servers/groups/group/settings/waf/ipadmin/countries.html b/web/views/@default/servers/groups/group/settings/waf/ipadmin/countries.html
index 42c08fcc..00fe4405 100644
--- a/web/views/@default/servers/groups/group/settings/waf/ipadmin/countries.html
+++ b/web/views/@default/servers/groups/group/settings/waf/ipadmin/countries.html
@@ -11,47 +11,35 @@
 
 	<form method="post" class="ui form" data-tea-action="$" data-tea-success="success">
 		<input type="hidden" name="firewallPolicyId" :value="firewallPolicyId"/>
+        <input type="hidden" name="exceptURLPatternsJSON" :value="JSON.stringify(exceptURLPatterns)"/>
+        <input type="hidden" name="onlyURLPatternsJSON" :value="JSON.stringify(onlyURLPatterns)"/>
 		<table class="ui table selectable definition">
-			<tr>
-				<td class="title">已封禁</td>
-				<td>
-					<span v-if="countSelectedCountries == 0" class="disabled">暂时没有选择封禁区域。</span>
-					<div class="ui label tiny basic" v-for="country in countries" v-if="country.isChecked" style="margin-bottom: 0.5em">
-						<input type="hidden" name="countryIds" :value="country.id"/>
-						({{country.letter}}){{country.name}} <a href="" @click.prevent="deselectCountry(country)" title="取消封禁"><i class="icon remove"></i></a>
-					</div>
-				</td>
-			</tr>
-			<tr>
-				<td>选择封禁区域</td>
-				<td>
-					<more-options-indicator>选择区域</more-options-indicator>
-
-					<div class="ui menu tabular tiny region-letter-group" v-show="moreOptionsVisible">
-						<a href="" v-for="group in letterGroups" class="item" :class="{active: group == selectedGroup}" @click.prevent="selectGroup(group)">{{group}}</a>
-						<div class="item right">
-							<div class="ui checkbox" @click.prevent="checkAll">
-								<input type="checkbox" v-model="isCheckingAll"/>
-								<label>全选</label>
-							</div>
-						</div>
-					</div>
-					<div v-for="group in letterGroups"  v-show="moreOptionsVisible">
-						<div v-for="letter in group" v-if="letterCountries[letter] != null && group == selectedGroup" class="country-group">
-							<h4>{{letter}}</h4>
-							<div class="country-list">
-								<div class="item" v-for="country in letterCountries[letter]">
-									<div class="ui checkbox" @click.prevent="selectCountry(country)">
-										<input type="checkbox" v-model="country.isChecked"/>
-										<label>{{country.name}}</label>
-									</div>
-								</div>
-							</div>
-							<div class="clear"></div>
-						</div>
-					</div>
-				</td>
-			</tr>
+            <tr>
+                <td class="title">仅允许的区域</td>
+                <td>
+                    <http-firewall-region-selector :v-countries="allowedCountries" :v-type="'allow'" @change="changeAllowedCountries"></http-firewall-region-selector>
+                </td>
+            </tr>
+            <tr>
+                <td class="title">仅封禁的区域</td>
+                <td>
+                    <p class="comment" v-if="allowedCountries.length > 0">由于你已设置"仅允许的区域"，所以不需要再设置封禁区域。</p>
+                    <http-firewall-region-selector :v-countries="deniedCountries" :v-type="'deny'" v-show="allowedCountries.length == 0"></http-firewall-region-selector>
+                </td>
+            </tr>
+            <tr>
+                <td colspan="2"><more-options-indicator></more-options-indicator></td>
+            </tr>
+            <tbody v-show="moreOptionsVisible">
+                <tr>
+                    <td>例外URL &nbsp;<tip-icon content="对这些URL将不做任何限制。"></tip-icon></td>
+                    <td><url-patterns-box v-model="exceptURLPatterns"></url-patterns-box></td>
+                </tr>
+                <tr>
+                    <td>限制URL &nbsp;<tip-icon content="只对这些URL做限制。"></tip-icon></td>
+                    <td><url-patterns-box v-model="onlyURLPatterns"></url-patterns-box></td>
+                </tr>
+            </tbody>
 		</table>
 		<submit-btn></submit-btn>
 	</form>
diff --git a/web/views/@default/servers/groups/group/settings/waf/ipadmin/countries.js b/web/views/@default/servers/groups/group/settings/waf/ipadmin/countries.js
index b0ed60d1..8f1ffa7b 100644
--- a/web/views/@default/servers/groups/group/settings/waf/ipadmin/countries.js
+++ b/web/views/@default/servers/groups/group/settings/waf/ipadmin/countries.js
@@ -1,54 +1,11 @@
 Tea.context(function () {
-	this.letterGroups = [
-		"ABC", "DEF", "GHI", "JKL", "MNO", "PQR", "STU", "VWX", "YZ"
-	];
-	this.selectedGroup = "ABC"
-	this.letterCountries = {}
-	let that = this
-	this.countSelectedCountries = this.countries.$count(function (k, country) {
-		return country.isChecked
-	})
-	this.countries.forEach(function (country) {
-		if (typeof (that.letterCountries[country.letter]) == "undefined") {
-			that.letterCountries[country.letter] = []
-		}
-		that.letterCountries[country.letter].push(country)
-	})
-	this.isCheckingAll = false
-
-	this.selectGroup = function (group) {
-		this.selectedGroup = group
-	}
-
-	this.selectCountry = function (country) {
-		country.isChecked = !country.isChecked
-		this.change()
-	}
-
-	this.deselectCountry = function (country) {
-		country.isChecked = false
-		this.change()
-	}
-
-	this.checkAll = function () {
-		this.isCheckingAll = !this.isCheckingAll
-
-		this.countries.forEach(function (country) {
-			country.isChecked = that.isCheckingAll
-		})
-
-		this.change()
-	}
-
 	this.success = function () {
 		teaweb.success("保存成功", function () {
 			teaweb.reload()
 		})
 	}
 
-	this.change = function () {
-		this.countSelectedCountries = this.countries.$count(function (k, country) {
-			return country.isChecked
-		})
+	this.changeAllowedCountries = function (event) {
+		this.allowedCountries = event.countries
 	}
 })
\ No newline at end of file
diff --git a/web/views/@default/servers/groups/group/settings/waf/ipadmin/provinces.html b/web/views/@default/servers/groups/group/settings/waf/ipadmin/provinces.html
index d1ea2261..c042e2c0 100644
--- a/web/views/@default/servers/groups/group/settings/waf/ipadmin/provinces.html
+++ b/web/views/@default/servers/groups/group/settings/waf/ipadmin/provinces.html
@@ -11,42 +11,35 @@
 
 	<form method="post" class="ui form" data-tea-action="$" data-tea-success="success">
 		<input type="hidden" name="firewallPolicyId" :value="firewallPolicyId"/>
+        <input type="hidden" name="exceptURLPatternsJSON" :value="JSON.stringify(exceptURLPatterns)"/>
+        <input type="hidden" name="onlyURLPatternsJSON" :value="JSON.stringify(onlyURLPatterns)"/>
 		<table class="ui table selectable definition">
-			<tr>
-				<td class="title">已封禁</td>
-				<td>
-					<span v-if="countSelectedProvinces == 0" class="disabled">暂时没有选择封禁省份。</span>
-					<div class="ui label tiny basic" v-for="province in provinces" v-if="province.isChecked" style="margin-bottom: 0.5em">
-						<input type="hidden" name="provinceIds" :value="province.id"/>
-						{{province.name}} <a href="" @click.prevent="deselectProvince(province)" title="取消封禁"><i class="icon remove"></i></a>
-					</div>
-				</td>
-			</tr>
-			<tr>
-				<td>选择封禁区域</td>
-				<td>
-
-					<first-menu>
-						<menu-item><more-options-indicator>选择省份/自治区</more-options-indicator></menu-item>
-						<div class="item right" v-show="moreOptionsVisible">
-							<div class="ui checkbox" @click.prevent="checkAll">
-								<input type="checkbox" v-model="isCheckingAll"/>
-								<label>全选</label>
-							</div>
-						</div>
-					</first-menu>
-
-					<div class="province-list" v-show="moreOptionsVisible" style="margin-top:0.5em">
-						<div class="item" v-for="province in provinces">
-							<div class="ui checkbox" @click.prevent="selectProvince(province)">
-								<input type="checkbox" v-model="province.isChecked"/>
-								<label>{{province.name}}</label>
-							</div>
-						</div>
-					</div>
-					<div class="clear"></div>
-				</td>
-			</tr>
+            <tr>
+                <td class="title">仅允许的省份</td>
+                <td>
+                    <http-firewall-province-selector :v-provinces="allowedProvinces" :v-type="'allow'" @change="changeAllowedProvinces"></http-firewall-province-selector>
+                </td>
+            </tr>
+            <tr>
+                <td class="title">仅封禁的省份</td>
+                <td>
+                    <p class="comment" v-if="allowedProvinces.length > 0">由于你已设置"仅允许的省份"，所以不需要再设置封禁省份。</p>
+                    <http-firewall-province-selector :v-provinces="deniedProvinces" :v-type="'deny'" v-show="allowedProvinces.length == 0"></http-firewall-province-selector>
+                </td>
+            </tr>
+            <tr>
+                <td colspan="2"><more-options-indicator></more-options-indicator></td>
+            </tr>
+            <tbody v-show="moreOptionsVisible">
+                <tr>
+                    <td>例外URL &nbsp;<tip-icon content="对这些URL将不做任何限制。"></tip-icon></td>
+                    <td><url-patterns-box v-model="exceptURLPatterns"></url-patterns-box></td>
+                </tr>
+                <tr>
+                    <td>限制URL &nbsp;<tip-icon content="只对这些URL做限制。"></tip-icon></td>
+                    <td><url-patterns-box v-model="onlyURLPatterns"></url-patterns-box></td>
+                </tr>
+            </tbody>
 		</table>
 		<submit-btn></submit-btn>
 	</form>
diff --git a/web/views/@default/servers/groups/group/settings/waf/ipadmin/provinces.js b/web/views/@default/servers/groups/group/settings/waf/ipadmin/provinces.js
index f2e83994..cce07f92 100644
--- a/web/views/@default/servers/groups/group/settings/waf/ipadmin/provinces.js
+++ b/web/views/@default/servers/groups/group/settings/waf/ipadmin/provinces.js
@@ -1,40 +1,11 @@
 Tea.context(function () {
-	this.isCheckingAll = false
-
-	this.countSelectedProvinces = this.provinces.$count(function (k, province) {
-		return province.isChecked
-	})
-
-	this.selectProvince = function (province) {
-		province.isChecked = !province.isChecked
-		this.change()
-	}
-
-	this.deselectProvince = function (province) {
-		province.isChecked = false
-		this.change()
-	}
-
-	this.checkAll = function () {
-		this.isCheckingAll = !this.isCheckingAll
-		let that = this
-		this.provinces.forEach(function (province) {
-			province.isChecked = that.isCheckingAll
-		})
-
-		this.change()
-	}
-
 	this.success = function () {
 		teaweb.success("保存成功", function () {
 			teaweb.reload()
 		})
 	}
 
-
-	this.change = function () {
-		this.countSelectedProvinces = this.provinces.$count(function (k, province) {
-			return province.isChecked
-		})
+	this.changeAllowedProvinces = function (event) {
+		this.allowedProvinces = event.provinces
 	}
 })
\ No newline at end of file