mirror of
https://github.com/TeaOSLab/EdgeNode.git
synced 2025-11-24 16:00:24 +08:00
检查synflood时忽略IP白名单和局域网连接
This commit is contained in:
GoEdgeLab
@@ -33,11 +33,12 @@ type ClientConn struct {
|
||||
hasRead bool
|
||||
|
||||
isLO bool // 是否为环路
|
||||
isInAllowList bool
|
||||
|
||||
hasResetSYNFlood bool
|
||||
}
|
||||
|
||||
func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool) net.Conn {
|
||||
func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool, isInAllowList bool) net.Conn {
|
||||
// 是否为环路
|
||||
var remoteAddr = rawConn.RemoteAddr().String()
|
||||
var isLO = strings.HasPrefix(remoteAddr, "127.0.0.1:") || strings.HasPrefix(remoteAddr, "[::1]:")
|
||||
@@ -46,6 +47,7 @@ func NewClientConn(rawConn net.Conn, isTLS bool, quickClose bool) net.Conn {
|
||||
BaseClientConn: BaseClientConn{rawConn: rawConn},
|
||||
isTLS: isTLS,
|
||||
isLO: isLO,
|
||||
isInAllowList: isInAllowList,
|
||||
}
|
||||
|
||||
if quickClose {
|
||||
@@ -89,11 +91,14 @@ func (this *ClientConn) Read(b []byte) (n int, err error) {
|
||||
}
|
||||
}
|
||||
|
||||
// 检测是否为握手错误
|
||||
var isHandshakeError = err != nil && os.IsTimeout(err) && !this.hasRead
|
||||
if isHandshakeError {
|
||||
_ = this.SetLinger(0)
|
||||
}
|
||||
|
||||
// 忽略白名单和局域网
|
||||
if !this.isInAllowList && !utils.IsLocalIP(this.RawIP()) {
|
||||
// SYN Flood检测
|
||||
if this.serverId == 0 || !this.hasResetSYNFlood {
|
||||
var synFloodConfig = sharedNodeConfig.SYNFloodConfig()
|
||||
@@ -106,6 +111,7 @@ func (this *ClientConn) Read(b []byte) (n int, err error) {
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
@@ -17,6 +17,8 @@ type BaseClientConn struct {
|
||||
hasLimit bool
|
||||
|
||||
isClosed bool
|
||||
|
||||
rawIP string
|
||||
}
|
||||
|
||||
func (this *BaseClientConn) IsClosed() bool {
|
||||
@@ -86,7 +88,12 @@ func (this *BaseClientConn) UserId() int64 {
|
||||
|
||||
// RawIP 原本IP
|
||||
func (this *BaseClientConn) RawIP() string {
|
||||
if len(this.rawIP) > 0 {
|
||||
return this.rawIP
|
||||
}
|
||||
|
||||
ip, _, _ := net.SplitHostPort(this.rawConn.RemoteAddr().String())
|
||||
this.rawIP = ip
|
||||
return ip
|
||||
}
|
||||
|
||||
|
||||
@@ -41,8 +41,10 @@ func (this *ClientListener) Accept() (net.Conn, error) {
|
||||
|
||||
// 是否在WAF名单中
|
||||
ip, _, err := net.SplitHostPort(conn.RemoteAddr().String())
|
||||
var isInAllowList = false
|
||||
if err == nil {
|
||||
canGoNext, _ := iplibrary.AllowIP(ip, 0)
|
||||
canGoNext, inAllowList := iplibrary.AllowIP(ip, 0)
|
||||
isInAllowList = inAllowList
|
||||
if !waf.SharedIPWhiteList.Contains(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip) {
|
||||
expiresAt, ok := waf.SharedIPBlackList.ContainsExpires(waf.IPTypeAll, firewallconfigs.FirewallScopeGlobal, 0, ip)
|
||||
if ok {
|
||||
@@ -76,7 +78,7 @@ func (this *ClientListener) Accept() (net.Conn, error) {
|
||||
}
|
||||
}
|
||||
|
||||
return NewClientConn(conn, this.isTLS, this.quickClose), nil
|
||||
return NewClientConn(conn, this.isTLS, this.quickClose, isInAllowList), nil
|
||||
}
|
||||
|
||||
func (this *ClientListener) Close() error {
|
||||
|
||||
Reference in New Issue
Block a user