mirror of
https://github.com/fosrl/pangolin.git
synced 2026-05-04 19:44:47 +00:00
Exclude local/private/CGNAT IPs from COUNTRY=ALL and ASN=ALL/AS0 geo-blocking rules
This commit is contained in:
Mustafa
GitHub
@@ -1003,7 +1003,11 @@ async function checkRules(
|
|||||||
isIpInCidr(clientIp, rule.value)
|
isIpInCidr(clientIp, rule.value)
|
||||||
) {
|
) {
|
||||||
return rule.action as any;
|
return rule.action as any;
|
||||||
} else if (clientIp && rule.match == "IP" && clientIp == rule.value) {
|
} else if (
|
||||||
|
clientIp &&
|
||||||
|
rule.match == "IP" &&
|
||||||
|
clientIp == rule.value
|
||||||
|
) {
|
||||||
return rule.action as any;
|
return rule.action as any;
|
||||||
} else if (
|
} else if (
|
||||||
path &&
|
path &&
|
||||||
@@ -1013,16 +1017,35 @@ async function checkRules(
|
|||||||
return rule.action as any;
|
return rule.action as any;
|
||||||
} else if (
|
} else if (
|
||||||
clientIp &&
|
clientIp &&
|
||||||
rule.match == "COUNTRY" &&
|
rule.match == "COUNTRY"
|
||||||
(await isIpInGeoIP(ipCC, rule.value))
|
|
||||||
) {
|
) {
|
||||||
return rule.action as any;
|
// COUNTRY=ALL should not affect local/private/CGNAT addresses.
|
||||||
|
if (
|
||||||
|
rule.value.toUpperCase() === "ALL" &&
|
||||||
|
isLocalOrCarrierGradeNatIp(clientIp)
|
||||||
|
) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (await isIpInGeoIP(ipCC, rule.value)) {
|
||||||
|
return rule.action as any;
|
||||||
|
}
|
||||||
} else if (
|
} else if (
|
||||||
clientIp &&
|
clientIp &&
|
||||||
rule.match == "ASN" &&
|
rule.match == "ASN"
|
||||||
(await isIpInAsn(ipAsn, rule.value))
|
|
||||||
) {
|
) {
|
||||||
return rule.action as any;
|
// ASN=ALL/AS0 should not affect local/private/CGNAT addresses.
|
||||||
|
if (
|
||||||
|
(rule.value.toUpperCase() === "ALL" ||
|
||||||
|
rule.value.toUpperCase() === "AS0") &&
|
||||||
|
isLocalOrCarrierGradeNatIp(clientIp)
|
||||||
|
) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (await isIpInAsn(ipAsn, rule.value)) {
|
||||||
|
return rule.action as any;
|
||||||
|
}
|
||||||
} else if (
|
} else if (
|
||||||
clientIp &&
|
clientIp &&
|
||||||
rule.match == "REGION" &&
|
rule.match == "REGION" &&
|
||||||
@@ -1184,6 +1207,26 @@ async function isIpInGeoIP(
|
|||||||
return ipCountryCode?.toUpperCase() === checkCountryCode.toUpperCase();
|
return ipCountryCode?.toUpperCase() === checkCountryCode.toUpperCase();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function isLocalOrCarrierGradeNatIp(ip: string): boolean {
|
||||||
|
const localAndCgnatCidrs = [
|
||||||
|
"10.0.0.0/8",
|
||||||
|
"172.16.0.0/12",
|
||||||
|
"192.168.0.0/16",
|
||||||
|
"100.64.0.0/10",
|
||||||
|
"127.0.0.0/8",
|
||||||
|
"169.254.0.0/16",
|
||||||
|
"::1/128",
|
||||||
|
"fc00::/7",
|
||||||
|
"fe80::/10"
|
||||||
|
];
|
||||||
|
|
||||||
|
try {
|
||||||
|
return localAndCgnatCidrs.some((cidr) => isIpInCidr(ip, cidr));
|
||||||
|
} catch {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
async function isIpInAsn(
|
async function isIpInAsn(
|
||||||
ipAsn: number | undefined,
|
ipAsn: number | undefined,
|
||||||
checkAsn: string
|
checkAsn: string
|
||||||
|
|||||||
Reference in New Issue
Block a user