diff --git a/internal/nodes/waf_manager.go b/internal/nodes/waf_manager.go index db021c1..849e769 100644 --- a/internal/nodes/waf_manager.go +++ b/internal/nodes/waf_manager.go @@ -88,6 +88,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) ( Name: set.Name, Description: set.Description, Connector: set.Connector, + IgnoreLocal: set.IgnoreLocal, } for _, a := range set.Actions { s.AddAction(a.Code, a.Options) @@ -143,6 +144,7 @@ func (this *WAFManager) convertWAF(policy *firewallconfigs.HTTPFirewallPolicy) ( Name: set.Name, Description: set.Description, Connector: set.Connector, + IgnoreLocal: set.IgnoreLocal, } for _, a := range set.Actions { diff --git a/internal/utils/ip.go b/internal/utils/ip.go index 417073d..6dae6a0 100644 --- a/internal/utils/ip.go +++ b/internal/utils/ip.go @@ -24,3 +24,33 @@ func IP2Long(ip string) uint64 { } return uint64(binary.BigEndian.Uint32(s.To4())) } + +// IsLocalIP 判断是否为本地IP +func IsLocalIP(ipString string) bool { + var ip = net.ParseIP(ipString) + if ip == nil { + return false + } + + // IPv6 + if strings.Contains(ipString, ":") { + if ip.String() == "::1" { + return true + } + return false + } + + // IPv4 + ip = ip.To4() + if ip == nil { + return false + } + if ip[0] == 127 || + ip[0] == 10 || + (ip[0] == 172 && ip[1]&0xf0 == 16) || + (ip[0] == 192 && ip[1] == 168) { + return true + } + + return false +} diff --git a/internal/utils/ip_test.go b/internal/utils/ip_test.go index a074da8..ef2a412 100644 --- a/internal/utils/ip_test.go +++ b/internal/utils/ip_test.go @@ -1,6 +1,9 @@ package utils -import "testing" +import ( + "github.com/iwind/TeaGo/assert" + "testing" +) func TestIP2Long(t *testing.T) { t.Log(IP2Long("0.0.0.0")) @@ -10,3 +13,16 @@ func TestIP2Long(t *testing.T) { t.Log(IP2Long("2001:db8:0:1::102")) t.Log(IP2Long("::1")) } + +func TestIsLocalIP(t *testing.T) { + var a = assert.NewAssertion(t) + a.IsFalse(IsLocalIP("a")) + a.IsFalse(IsLocalIP("1.2.3")) + a.IsTrue(IsLocalIP("127.0.0.1")) + a.IsTrue(IsLocalIP("192.168.0.1")) + a.IsTrue(IsLocalIP("10.0.0.1")) + a.IsTrue(IsLocalIP("172.16.0.1")) + a.IsTrue(IsLocalIP("::1")) + a.IsFalse(IsLocalIP("::1:2:3")) + a.IsFalse(IsLocalIP("8.8.8.8")) +} diff --git a/internal/waf/rule_set.go b/internal/waf/rule_set.go index 405f10a..60c1d9e 100644 --- a/internal/waf/rule_set.go +++ b/internal/waf/rule_set.go @@ -3,6 +3,7 @@ package waf import ( "github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs/firewallconfigs" "github.com/TeaOSLab/EdgeNode/internal/remotelogs" + "github.com/TeaOSLab/EdgeNode/internal/utils" "github.com/TeaOSLab/EdgeNode/internal/waf/requests" "github.com/iwind/TeaGo/lists" "github.com/iwind/TeaGo/maps" @@ -26,6 +27,7 @@ type RuleSet struct { Rules []*Rule `yaml:"rules" json:"rules"` Connector RuleConnector `yaml:"connector" json:"connector"` // rules connector Actions []*ActionConfig `yaml:"actions" json:"actions"` + IgnoreLocal bool `yaml:"ignoreLocal" json:"ignoreLocal"` actionCodes []string actionInstances []ActionInterface @@ -163,6 +165,11 @@ func (this *RuleSet) PerformActions(waf *WAF, group *RuleGroup, req requests.Req } func (this *RuleSet) MatchRequest(req requests.Request) (b bool, err error) { + // 是否忽略局域网IP + if this.IgnoreLocal && utils.IsLocalIP(req.WAFRemoteIP()) { + return false, nil + } + if !this.hasRules { return false, nil }