WAF动作block和record_ip同时存在时，优先执行record_ip

2026-02-04 15:25:49 +08:00 · 2021-10-06 08:56:38 +08:00
parent f511b4089b
commit e82171afc8
2 changed files with 15 additions and 2 deletions
--- a/internal/nodes/http_request_waf.go
+++ b/internal/nodes/http_request_waf.go
@@ -198,7 +198,7 @@ func (this *HTTPRequest) checkWAFRequest(firewallPolicy *firewallconfigs.HTTPFir
 			stats.SharedHTTPRequestStatManager.AddFirewallRuleGroupId(this.Server.Id, this.firewallRuleGroupId, ruleSet.Actions)
 		}

-		this.firewallActions = ruleSet.ActionCodes()
+		this.firewallActions = append(ruleSet.ActionCodes(), firewallPolicy.Mode)
 	}

 	return !goNext, false
@@ -262,7 +262,7 @@ func (this *HTTPRequest) checkWAFResponse(firewallPolicy *firewallconfigs.HTTPFi
 			stats.SharedHTTPRequestStatManager.AddFirewallRuleGroupId(this.Server.Id, this.firewallRuleGroupId, ruleSet.Actions)
 		}

-		this.firewallActions = ruleSet.ActionCodes()
+		this.firewallActions = append(ruleSet.ActionCodes(), firewallPolicy.Mode)
 	}

 	return !goNext
--- a/internal/waf/rule_set.go
+++ b/internal/waf/rule_set.go
@@ -8,6 +8,7 @@ import (
 	"github.com/iwind/TeaGo/maps"
 	"github.com/iwind/TeaGo/utils/string"
 	"net/http"
+	"sort"
 )

 type RuleConnector = string
@@ -122,6 +123,18 @@ func (this *RuleSet) PerformActions(waf *WAF, group *RuleGroup, req requests.Req
 		return true
 	}

+	// 排序
+	sort.Slice(this.actionInstances, func(i, j int) bool {
+		var instance1 = this.actionInstances[i]
+		if !instance1.WillChange() {
+			return true
+		}
+		if instance1.Code() == ActionRecordIP {
+			return true
+		}
+		return false
+	})
+
 	// 先执行allow
 	for _, instance := range this.actionInstances {
 		if !instance.WillChange() {