fix: process IPv6 Link-Local address (#1657)

wwqgtxx · wwqgtxx · commit 80e4eaad1463 · 2024-11-18T10:34:43.000+08:00
diff --git a/adapter/inbound/auth.go b/adapter/inbound/auth.go
@@ -34,12 +34,5 @@ func SkipAuthRemoteAddress(addr string) bool {
 }
 
 func skipAuth(addr netip.Addr) bool {
-	if addr.IsValid() {
-		for _, prefix := range skipAuthPrefixes {
-			if prefix.Contains(addr.Unmap()) {
-				return true
-			}
-		}
-	}
-	return false
+	return prefixesContains(skipAuthPrefixes, addr)
 }
diff --git a/adapter/inbound/ipfilter.go b/adapter/inbound/ipfilter.go
@@ -31,27 +31,17 @@ func IsRemoteAddrDisAllowed(addr net.Addr) bool {
 	if err := m.SetRemoteAddr(addr); err != nil {
 		return false
 	}
-	return isAllowed(m.AddrPort().Addr().Unmap()) && !isDisAllowed(m.AddrPort().Addr().Unmap())
+	ipAddr := m.AddrPort().Addr()
+	if ipAddr.IsValid() {
+		return isAllowed(ipAddr) && !isDisAllowed(ipAddr)
+	}
+	return false
 }
 
 func isAllowed(addr netip.Addr) bool {
-	if addr.IsValid() {
-		for _, prefix := range lanAllowedIPs {
-			if prefix.Contains(addr) {
-				return true
-			}
-		}
-	}
-	return false
+	return prefixesContains(lanAllowedIPs, addr)
 }
 
 func isDisAllowed(addr netip.Addr) bool {
-	if addr.IsValid() {
-		for _, prefix := range lanDisAllowedIPs {
-			if prefix.Contains(addr) {
-				return true
-			}
-		}
-	}
-	return false
+	return prefixesContains(lanDisAllowedIPs, addr)
 }
diff --git a/adapter/inbound/util.go b/adapter/inbound/util.go
@@ -61,3 +61,19 @@ func parseHTTPAddr(request *http.Request) *C.Metadata {
 
 	return metadata
 }
+
+func prefixesContains(prefixes []netip.Prefix, addr netip.Addr) bool {
+	if len(prefixes) == 0 {
+		return false
+	}
+	if !addr.IsValid() {
+		return false
+	}
+	addr = addr.Unmap().WithZone("") // netip.Prefix.Contains returns false if ip has an IPv6 zone
+	for _, prefix := range prefixes {
+		if prefix.Contains(addr) {
+			return true
+		}
+	}
+	return false
+}
diff --git a/rules/common/ipcidr.go b/rules/common/ipcidr.go
@@ -40,7 +40,7 @@ func (i *IPCIDR) Match(metadata *C.Metadata) (bool, string) {
 	if i.isSourceIP {
 		ip = metadata.SrcIP
 	}
-	return ip.IsValid() && i.ipnet.Contains(ip), i.adapter
+	return ip.IsValid() && i.ipnet.Contains(ip.WithZone("")), i.adapter
 }
 
 func (i *IPCIDR) Adapter() string {

Original file line number	Diff line number	Diff line change
`@@ -34,12 +34,5 @@ func SkipAuthRemoteAddress(addr string) bool {`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`func skipAuth(addr netip.Addr) bool {`
`37`		`- if addr.IsValid() {`
`38`		`- for _, prefix := range skipAuthPrefixes {`
`39`		`- if prefix.Contains(addr.Unmap()) {`
`40`		`- return true`
`41`		`- }`
`42`		`- }`
`43`		`- }`
`44`		`- return false`
	`37`	`+ return prefixesContains(skipAuthPrefixes, addr)`
`45`	`38`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ func (i IPCIDR) Match(metadata C.Metadata) (bool, string) {`
`40`	`40`	`if i.isSourceIP {`
`41`	`41`	`ip = metadata.SrcIP`
`42`	`42`	`}`
`43`		`- return ip.IsValid() && i.ipnet.Contains(ip), i.adapter`
	`43`	`+ return ip.IsValid() && i.ipnet.Contains(ip.WithZone("")), i.adapter`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`func (i *IPCIDR) Adapter() string {`