diff --git a/internal/nodes/client_conn.go b/internal/nodes/client_conn.go index d1f97da..fe0b83a 100644 --- a/internal/nodes/client_conn.go +++ b/internal/nodes/client_conn.go @@ -32,12 +32,13 @@ type ClientConn struct { hasDeadline bool hasRead bool - isLO bool // 是否为环路 + isLO bool // 是否为环路 + isInAllowList bool hasResetSYNFlood bool } -func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool) net.Conn { +func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool, isInAllowList bool) net.Conn { // 是否为环路 var remoteAddr = rawConn.RemoteAddr().String() var isLO = strings.HasPrefix(remoteAddr, "127.0.0.1:") || strings.HasPrefix(remoteAddr, "[::1]:") @@ -46,6 +47,7 @@ func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool) net.Conn { BaseClientConn: BaseClientConn{rawConn: rawConn}, isTLS: isTLS, isLO: isLO, + isInAllowList: isInAllowList, } if quickClose { @@ -89,20 +91,24 @@ func (this *ClientConn) Read(b []byte) (n int, err error) { } } + // 检测是否为握手错误 var isHandshakeError = err != nil && os.IsTimeout(err) && !this.hasRead if isHandshakeError { _ = this.SetLinger(0) } - // SYN Flood检测 - if this.serverId == 0 || !this.hasResetSYNFlood { - var synFloodConfig = sharedNodeConfig.SYNFloodConfig() - if synFloodConfig != nil && synFloodConfig.IsOn { - if isHandshakeError { - this.increaseSYNFlood(synFloodConfig) - } else if err == nil && !this.hasResetSYNFlood { - this.hasResetSYNFlood = true - this.resetSYNFlood() + // 忽略白名单和局域网 + if !this.isInAllowList && !utils.IsLocalIP(this.RawIP()) { + // SYN Flood检测 + if this.serverId == 0 || !this.hasResetSYNFlood { + var synFloodConfig = sharedNodeConfig.SYNFloodConfig() + if synFloodConfig != nil && synFloodConfig.IsOn { + if isHandshakeError { + this.increaseSYNFlood(synFloodConfig) + } else if err == nil && !this.hasResetSYNFlood { + this.hasResetSYNFlood = true + this.resetSYNFlood() + } } } } diff --git a/internal/nodes/client_conn_base.go b/internal/nodes/client_conn_base.go index 503713b..e0cb250 100644 --- a/internal/nodes/client_conn_base.go +++ b/internal/nodes/client_conn_base.go @@ -17,6 +17,8 @@ type BaseClientConn struct { hasLimit bool isClosed bool + + rawIP string } func (this *BaseClientConn) IsClosed() bool { @@ -86,7 +88,12 @@ func (this *BaseClientConn) UserId() int64 { // RawIP 原本IP func (this *BaseClientConn) RawIP() string { + if len(this.rawIP) > 0 { + return this.rawIP + } + ip, _, _ := net.SplitHostPort(this.rawConn.RemoteAddr().String()) + this.rawIP = ip return ip } diff --git a/internal/nodes/client_listener.go b/internal/nodes/client_listener.go index 916e456..b4b93a0 100644 --- a/internal/nodes/client_listener.go +++ b/internal/nodes/client_listener.go @@ -41,8 +41,10 @@ func (this *ClientListener) Accept() (net.Conn, error) { // 是否在WAF名单中 ip, _, err := net.SplitHostPort(conn.RemoteAddr().String()) + var isInAllowList = false if err == nil { - canGoNext, _ := iplibrary.AllowIP(ip, 0) + canGoNext, inAllowList := iplibrary.AllowIP(ip, 0) + isInAllowList = inAllowList if !waf.SharedIPWhiteList.Contains(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip) { expiresAt, ok := waf.SharedIPBlackList.ContainsExpires(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip) if ok { @@ -76,7 +78,7 @@ func (this *ClientListener) Accept() (net.Conn, error) { } } - return NewClientConn(conn, this.isTLS, this.quickClose), nil + return NewClientConn(conn, this.isTLS, this.quickClose, isInAllowList), nil } func (this *ClientListener) Close() error {