检查synflood时忽略IP白名单和局域网连接

internal/nodes/client_conn.go

@@ -32,12 +32,13 @@ type ClientConn struct {
 	hasDeadline bool
 	hasRead     bool
 
-	isLO bool // 是否为环路
+	isLO          bool // 是否为环路
+	isInAllowList bool
 
 	hasResetSYNFlood bool
 }
 
-func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool) net.Conn {
+func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool, isInAllowList bool) net.Conn {
 	// 是否为环路
 	var remoteAddr = rawConn.RemoteAddr().String()
 	var isLO = strings.HasPrefix(remoteAddr, "127.0.0.1:") || strings.HasPrefix(remoteAddr, "[::1]:")
@@ -46,6 +47,7 @@ func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool) net.Conn {
 		BaseClientConn: BaseClientConn{rawConn: rawConn},
 		isTLS:          isTLS,
 		isLO:           isLO,
+		isInAllowList:  isInAllowList,
 	}
 
 	if quickClose {
@@ -89,20 +91,24 @@ func (this *ClientConn) Read(b []byte) (n int, err error) {
 		}
 	}
 
+	// 检测是否为握手错误
 	var isHandshakeError = err != nil && os.IsTimeout(err) && !this.hasRead
 	if isHandshakeError {
 		_ = this.SetLinger(0)
 	}
 
-	// SYN Flood检测
+	// 忽略白名单和局域网
-	if this.serverId == 0 || !this.hasResetSYNFlood {
+	if !this.isInAllowList && !utils.IsLocalIP(this.RawIP()) {
-		var synFloodConfig = sharedNodeConfig.SYNFloodConfig()
+		// SYN Flood检测
-		if synFloodConfig != nil && synFloodConfig.IsOn {
+		if this.serverId == 0 || !this.hasResetSYNFlood {
-			if isHandshakeError {
+			var synFloodConfig = sharedNodeConfig.SYNFloodConfig()
-				this.increaseSYNFlood(synFloodConfig)
+			if synFloodConfig != nil && synFloodConfig.IsOn {
-			} else if err == nil && !this.hasResetSYNFlood {
+				if isHandshakeError {
-				this.hasResetSYNFlood = true
+					this.increaseSYNFlood(synFloodConfig)
-				this.resetSYNFlood()
+				} else if err == nil && !this.hasResetSYNFlood {
+					this.hasResetSYNFlood = true
+					this.resetSYNFlood()
+				}
 			}
 		}
 	}

internal/nodes/client_conn_base.go

@@ -17,6 +17,8 @@ type BaseClientConn struct {
 	hasLimit   bool
 
 	isClosed bool
+
+	rawIP string
 }
 
 func (this *BaseClientConn) IsClosed() bool {
@@ -86,7 +88,12 @@ func (this *BaseClientConn) UserId() int64 {
 
 // RawIP 原本IP
 func (this *BaseClientConn) RawIP() string {
+	if len(this.rawIP) > 0 {
+		return this.rawIP
+	}
+
 	ip, _, _ := net.SplitHostPort(this.rawConn.RemoteAddr().String())
+	this.rawIP = ip
 	return ip
 }
 

internal/nodes/client_listener.go

@@ -41,8 +41,10 @@ func (this *ClientListener) Accept() (net.Conn, error) {
 
 	// 是否在WAF名单中
 	ip, _, err := net.SplitHostPort(conn.RemoteAddr().String())
+	var isInAllowList = false
 	if err == nil {
-		canGoNext, _ := iplibrary.AllowIP(ip, 0)
+		canGoNext, inAllowList := iplibrary.AllowIP(ip, 0)
+		isInAllowList = inAllowList
 		if !waf.SharedIPWhiteList.Contains(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip) {
 			expiresAt, ok := waf.SharedIPBlackList.ContainsExpires(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip)
 			if ok {
@@ -76,7 +78,7 @@ func (this *ClientListener) Accept() (net.Conn, error) {
 		}
 	}
 
-	return NewClientConn(conn, this.isTLS, this.quickClose), nil
+	return NewClientConn(conn, this.isTLS, this.quickClose, isInAllowList), nil
 }
 
 func (this *ClientListener) Close() error {