From e90fe5ac629f38abf1a788e363a3caaf71307caf Mon Sep 17 00:00:00 2001 From: 174001602 <174001602@qq.com> Date: Mon, 30 Nov 2020 19:45:30 +0800 Subject: [PATCH] =?UTF-8?q?update=20=E6=9B=B4=E6=96=B0ip=E9=BB=91=E7=99=BD?= =?UTF-8?q?=E5=90=8D=E5=8D=95=E7=9A=84=E8=BF=87=E6=BB=A4=E6=96=B9=E5=BC=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1.改写函数 white_ip_check() black_ip_check() 2.ip规则写法例子 whiteip blackip 192.168.1.1 单IP过滤 192.168.1.0/24 网段过滤 192.168.0.0,192.168.0.255 网段的起始过滤 3.lib.lua末尾增加功能函数 ipToInt(str) intToIp(n) subnet(ip, masklen) --- init.lua | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- lib.lua | 37 ++++++++++++++++++++++++++++++++ 2 files changed, 98 insertions(+), 3 deletions(-) diff --git a/init.lua b/init.lua index 9faf994..c114fb8 100644 --- a/init.lua +++ b/init.lua @@ -13,8 +13,37 @@ function white_ip_check() local WHITE_IP = get_client_ip() if IP_WHITE_RULE ~= nil then for _,rule in pairs(IP_WHITE_RULE) do - if rule ~= "" and rulematch(WHITE_IP,rule,"jo") then - log_record("White_IP",ngx.var.request_uri,"_","_") + if rule ~= "" then + RULE_IP_START = 9999999999 + RULE_IP_END = 9999999999 + if string.find(rule, ",") then + local s,l = string.find(rule, ",") + local num = 0 + num = l - 1 + RULE_IP_START = ipToInt(string.sub(rule, 1, num)) + num = l + 1 + RULE_IP_END = ipToInt(string.sub(rule, num)) + elseif string.find(rule, "/") then + local s,l = string.find(rule, "/") + local num = 0 + num = l - 1 + RULE_IP = string.sub(rule, 1, num) + num = l + 1 + RULE_END = string.sub(rule, num) + RULE_IP_START = ipToInt(subnet(RULE_IP, RULE_END)) + if tonumber(RULE_END) ~= '' and tonumber(RULE_END) < 32 then + RULE_IP_END = RULE_IP_START + 2^(32 - RULE_END) - 1 + else + RULE_IP_END = RULE_IP_START + end + elseif (rule ~= 'unknown') then + RULE_IP_START = ipToInt(rule) + RULE_IP_END = RULE_IP_START + end + end + local Num_White_IP = ipToInt(get_client_ip()) + if rule ~= "" and RULE_IP_START <= Num_White_IP and Num_White_IP <= RULE_IP_END then + log_record("White_IP",ngx.var.request_uri,"_",rule) return true end end @@ -29,7 +58,36 @@ function black_ip_check() local BLACK_IP = get_client_ip() if IP_BLACK_RULE ~= nil then for _,rule in pairs(IP_BLACK_RULE) do - if rule ~= "" and rulematch(BLACK_IP,rule,"jo") then + if rule ~= "" then + RULE_IP_START = 9999999999 + RULE_IP_END = 9999999999 + if string.find(rule, ",") then + local s,l = string.find(rule, ",") + local num = 0 + num = l - 1 + RULE_IP_START = ipToInt(string.sub(rule, 1, num)) + num = l + 1 + RULE_IP_END = ipToInt(string.sub(rule, num)) + elseif string.find(rule, "/") then + local s,l = string.find(rule, "/") + local num = 0 + num = l - 1 + RULE_IP = string.sub(rule, 1, num) + num = l + 1 + RULE_END = string.sub(rule, num) + RULE_IP_START = ipToInt(subnet(RULE_IP, RULE_END)) + if tonumber(RULE_END) ~= '' and tonumber(RULE_END) < 32 then + RULE_IP_END = RULE_IP_START + 2^(32 - RULE_END) - 1 + else + RULE_IP_END = RULE_IP_START + end + elseif (rule ~= 'unknown') then + RULE_IP_START = ipToInt(rule) + RULE_IP_END = RULE_IP_START + end + end + local Num_Black_IP = ipToInt(get_client_ip()) + if rule ~= "" and RULE_IP_START <= Num_Black_IP and Num_Black_IP <= RULE_IP_END then -- log_record('BlackList_IP',ngx.var.request_uri,"_","_") if config_waf_enable == "on" then ngx.header.content_type = "text/html" diff --git a/lib.lua b/lib.lua index 79b78e6..ebd1038 100644 --- a/lib.lua +++ b/lib.lua @@ -94,3 +94,40 @@ function waf_output() ngx.exit(ngx.status) end end + +-- ip to inter +function ipToInt(str) + local num = 0 + if str and type(str)=="string" then + local o1,o2,o3,o4 = str:match("(%d+)%.(%d+)%.(%d+)%.(%d+)" ) + num = 2^24*o1 + 2^16*o2 + 2^8*o3 + o4 + end + return num +end + +-- inter to ip +function intToIp(n) + if n then + n = tonumber(n) + local n1 = math.floor(n / (2^24)) + local n2 = math.floor((n - n1*(2^24)) / (2^16)) + local n3 = math.floor((n - n1*(2^24) - n2*(2^16)) / (2^8)) + local n4 = math.floor((n - n1*(2^24) - n2*(2^16) - n3*(2^8))) + return n1.."."..n2.."."..n3.."."..n4 + end + return "0.0.0.0" +end + +-- subnet +function subnet(ip, masklen) + if masklen == 32 then + return ip + end + local ip = {string.match(ip, "(%d+).(%d+).(%d+).(%d+)")} + local pos = math.floor((masklen)/8) + 1 + ip[pos] = ip[pos] - ip[pos] % 2^(8-masklen%8) + for i = pos + 1, #ip do + ip[i] = 0 + end + return table.concat(ip, ".") +end