update 更新ip黑白名单的过滤方式

1.改写函数
white_ip_check()
black_ip_check()

2.ip规则写法例子
whiteip
blackip

192.168.1.1                 单IP过滤
192.168.1.0/24                网段过滤
192.168.0.0,192.168.0.255    网段的起始过滤

3.lib.lua末尾增加功能函数
ipToInt(str)
intToIp(n)
subnet(ip, masklen)
pull/11/head
174001602 2020-11-30 19:45:30 +08:00
parent 2237703f33
commit e90fe5ac62
2 changed files with 98 additions and 3 deletions

View File

@ -13,8 +13,37 @@ function white_ip_check()
local WHITE_IP = get_client_ip()
if IP_WHITE_RULE ~= nil then
for _,rule in pairs(IP_WHITE_RULE) do
if rule ~= "" and rulematch(WHITE_IP,rule,"jo") then
log_record("White_IP",ngx.var.request_uri,"_","_")
if rule ~= "" then
RULE_IP_START = 9999999999
RULE_IP_END = 9999999999
if string.find(rule, ",") then
local s,l = string.find(rule, ",")
local num = 0
num = l - 1
RULE_IP_START = ipToInt(string.sub(rule, 1, num))
num = l + 1
RULE_IP_END = ipToInt(string.sub(rule, num))
elseif string.find(rule, "/") then
local s,l = string.find(rule, "/")
local num = 0
num = l - 1
RULE_IP = string.sub(rule, 1, num)
num = l + 1
RULE_END = string.sub(rule, num)
RULE_IP_START = ipToInt(subnet(RULE_IP, RULE_END))
if tonumber(RULE_END) ~= '' and tonumber(RULE_END) < 32 then
RULE_IP_END = RULE_IP_START + 2^(32 - RULE_END) - 1
else
RULE_IP_END = RULE_IP_START
end
elseif (rule ~= 'unknown') then
RULE_IP_START = ipToInt(rule)
RULE_IP_END = RULE_IP_START
end
end
local Num_White_IP = ipToInt(get_client_ip())
if rule ~= "" and RULE_IP_START <= Num_White_IP and Num_White_IP <= RULE_IP_END then
log_record("White_IP",ngx.var.request_uri,"_",rule)
return true
end
end
@ -29,7 +58,36 @@ function black_ip_check()
local BLACK_IP = get_client_ip()
if IP_BLACK_RULE ~= nil then
for _,rule in pairs(IP_BLACK_RULE) do
if rule ~= "" and rulematch(BLACK_IP,rule,"jo") then
if rule ~= "" then
RULE_IP_START = 9999999999
RULE_IP_END = 9999999999
if string.find(rule, ",") then
local s,l = string.find(rule, ",")
local num = 0
num = l - 1
RULE_IP_START = ipToInt(string.sub(rule, 1, num))
num = l + 1
RULE_IP_END = ipToInt(string.sub(rule, num))
elseif string.find(rule, "/") then
local s,l = string.find(rule, "/")
local num = 0
num = l - 1
RULE_IP = string.sub(rule, 1, num)
num = l + 1
RULE_END = string.sub(rule, num)
RULE_IP_START = ipToInt(subnet(RULE_IP, RULE_END))
if tonumber(RULE_END) ~= '' and tonumber(RULE_END) < 32 then
RULE_IP_END = RULE_IP_START + 2^(32 - RULE_END) - 1
else
RULE_IP_END = RULE_IP_START
end
elseif (rule ~= 'unknown') then
RULE_IP_START = ipToInt(rule)
RULE_IP_END = RULE_IP_START
end
end
local Num_Black_IP = ipToInt(get_client_ip())
if rule ~= "" and RULE_IP_START <= Num_Black_IP and Num_Black_IP <= RULE_IP_END then
-- log_record('BlackList_IP',ngx.var.request_uri,"_","_")
if config_waf_enable == "on" then
ngx.header.content_type = "text/html"

37
lib.lua
View File

@ -94,3 +94,40 @@ function waf_output()
ngx.exit(ngx.status)
end
end
-- ip to inter
function ipToInt(str)
local num = 0
if str and type(str)=="string" then
local o1,o2,o3,o4 = str:match("(%d+)%.(%d+)%.(%d+)%.(%d+)" )
num = 2^24*o1 + 2^16*o2 + 2^8*o3 + o4
end
return num
end
-- inter to ip
function intToIp(n)
if n then
n = tonumber(n)
local n1 = math.floor(n / (2^24))
local n2 = math.floor((n - n1*(2^24)) / (2^16))
local n3 = math.floor((n - n1*(2^24) - n2*(2^16)) / (2^8))
local n4 = math.floor((n - n1*(2^24) - n2*(2^16) - n3*(2^8)))
return n1.."."..n2.."."..n3.."."..n4
end
return "0.0.0.0"
end
-- subnet
function subnet(ip, masklen)
if masklen == 32 then
return ip
end
local ip = {string.match(ip, "(%d+).(%d+).(%d+).(%d+)")}
local pos = math.floor((masklen)/8) + 1
ip[pos] = ip[pos] - ip[pos] % 2^(8-masklen%8)
for i = pos + 1, #ip do
ip[i] = 0
end
return table.concat(ip, ".")
end