Private IP Address Identifier in Regular Expression
I'm wondering if this is the best way to match a string that starts with a private IP address (Perl-style Regex):
(^127\.0\.0\.1)|(^192\.168)|(^10\.)|(^172\.1[6-9])|开发者_Python百科(^172\.2[0-9])|(^172\.3[0-1])
Thanks much!
I'm assuming you want to match these ranges:
127. 0.0.0 – 127.255.255.255 127.0.0.0 /8 10. 0.0.0 – 10.255.255.255 10.0.0.0 /8 172. 16.0.0 – 172. 31.255.255 172.16.0.0 /12 192.168.0.0 – 192.168.255.255 192.168.0.0 /16
You are missing some dots that would cause it to accept for example 172.169.0.0 even though this should not be accepted. I've fixed it below. Remove the new lines, it's just for readability.
(^127\.)|
(^10\.)|
(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|
(^192\.168\.)
Also note that this assumes that the IP addresses have already been validated - it accepts things like 10.foobar.
This is the same as the correct answer by Mark, but now including IPv6 private addresses.
/(^127\.)|(^192\.168\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^::1$)|(^[fF][cCdD])/
I have generated this
REGEXP FOR CLASS A NETWORKS :
(10)(\.([2]([0-5][0-5]|[01234][6-9])|[1][0-9][0-9]|[1-9][0-9]|[0-9])){3}
REGEXP FOR CLASS B NETWORKS :
(172)\.(1[6-9]|2[0-9]|3[0-1])(\.(2[0-4][0-9]|25[0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){2}
REGEXP FOR CLASS C NETWORKS :
(192)\.(168)(\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9][0-9]|[0-9])){2}
Let me know if you encounter any error
If you are sure of your output (say for example netstat) and you have no need to check about IP address validity because it is already done, then you can catch private ip addresses with this formula
grep -P "(10.|192.168|172.1[6-9].|172.2[0-9].|172.3[01].).* "
here is what I use in python:
rfc1918 = re.compile('^(10(\.(25[0-5]|2[0-4][0-9]|1[0-9]{1,2}|[0-9]{1,2})){3}|((172\.(1[6-9]|2[0-9]|3[01]))|192\.168)(\.(25[0-5]|2[0-4][0-9]|1[0-9]{1,2}|[0-9]{1,2})){2})$')
You can remove the ^ and/or $ anchors if you wish.
I prefer the above regex because it weeds out invalid octets (anything above 255).
example usage:
if rfc1918.match(ip):
print "ip is private"
This is in case you decide to go with my comment, suggesting you don't use regexps. Untested (but probably works, or at least close), in Perl:
@private = (
{network => inet_aton('127.0.0.0'), mask => inet_aton('255.0.0.0') },
{network => inet_aton('192.168.0.0'), mask => inet_aton('255.255.0.0') },
# ...
);
$ip = inet_aton($ip_text);
if (grep $ip & $_->{mask} == $_->{network}, @private) {
# ip address is private
} else {
# ip address is not private
}
Note now how @private is just data, which you can easily change. Or download on the fly from the Cymru Bogon Reference.
edit: It occurs to me that asking for a Perl regexp doesn't mean you know Perl, so the key line is there is the 'grep', which just loops over each private address range. You take your IP, bitwise and it with the netmask, and compare to the network address. If equal, its part of that private network.
Looks right. Personally, I'd change the first one to:
^127\.0
With this: (^127\.0\.0\.1) you looking for anything that starts with 127.0.0.1 and will miss out on 127.0.0.2*, 127.0.2.*, 127.0.* etc.
10 years late. Credits to Mark Byers, bramp, Edward, blueyed, user3177026, Justin, karmakaze, Ron Maupin.
Answer TLDR
Beginning only
Please remove the line breaks - this is just to make it easier to read:
^(?:
127\.|
0?10\.|
172\.0?1[6-9]\.|
172\.0?2[0-9]\.|
172\.0?3[01]\.|
192\.168\.|
169\.254\.|
::1|
[fF][cCdD][0-9a-fA-F]{2}:|
[fF][eE][89aAbB][0-9a-fA-F]:
)
The ?: at the beginning of the parenthesis means that this parenthesis is not captured and may make it a bit faster.
Please be careful with the backslash. In Postgres e.g. you have to use an E string and have to escape the backslash with a backslash - or just use [.] instead of E'\\.'!
The whole IP (decimal, leading zeros optional, max. three digits)
Please remove the line breaks - this is just to make it easier to read:
\b(
127\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|
0?10\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|
172\.0?1[6-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|
172\.0?2[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|
172\.0?3[01]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|
192\.168\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|
169\.254\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|
::1|
[fF][cCdD][0-9a-fA-F]{2}(?:[:][0-9a-fA-F]{0,4}){0,7}|
[fF][eE][89aAbB][0-9a-fA-F](?:[:][0-9a-fA-F]{0,4}){0,7}
)
(?:\/([789]|1?[0-9]{2}))?
\b
https://regex101.com/r/JCLOZL/14 (Backup: https://etherpad.wikimedia.org/p/JCLOZL)
Details
IPv4
127.0.0.0 to 127.255.255.255 is 127.0.0.0/8 # localhost, loopback etc.
10.0.0.0 to 10.255.255.255 is 10.0.0.0/8 # approximately/formerly class A
172.16.0.0 to 172.31.255.255 is 172.16.0.0/12 # approximately/formerly class B
192.168.0.0 to 192.168.255.255 is 192.168.0.0/16 # approximately/formerly class C
169.254.0.0 to 169.254.255.255 is 169.254.0.0/16 # link-local addresses since 2005
Example:
172.17.50.33 or more explicit:
172.17.50.33/32
I'm not sure if the part behind the slash can have leading zeros (unlikely), but the IP can have leading zeros.
IPv4 with leading zeros (decimal)
127.000.000.000 to 127.255.255.255 is 127.000.000.000/8 # localhost, loopback etc.
010.000.000.000 to 010.255.255.255 is 010.000.000.000/8 # approx/formerly class A
172.016.000.000 to 172.031.255.255 is 172.016.000.000/12 # approx/formerly class B
192.168.000.000 to 192.168.255.255 is 192.168.000.000/16 # approx/formerly class C
169.254.000.000 to 169.254.255.255 is 169.254.000.000/16 # link-local addresses
Example:
172.017.050.033 or more explicit:
172.017.050.033/32
IPv4 with leading zeros (octal)
Not supported in my regex. To make your program perfect, check and warn the user about octal IP addresses and/or more than three digits!
0177.0000.0000.0000 to 0177.0377.0377.0377 is 0177.0000.0000.0000/8 # loopback
0012.0000.0000.0000 to 0012.0377.0377.0377 is 0012.0000.0000.0000/8 # A
0254.0020.0000.0000 to 0254.0037.0377.0377 is 0254.0020.0000.0000/12 # B
0300.0250.0000.0000 to 0300.0250.0377.0377 is 0300.0250.0000.0000/16 # C
0251.0376.0000.0000 to 0251.0376.0377.0377 is 0251.0376.0000.0000/16 # link-local
Example:
0254.0021.0062.0041 or more explicit:
0254.0021.0062.0041/32
Yes, 172.017.050.033 is the same as 0254.0021.0062.0041 on different tools. Tested with ping on macOS.
Of course, you can also mix decimal (no leading zero) with octal (at least one leading zero) in some tools. :S
IPv6
fc00:0000:… to fdff:ffff:… is fc00::/7
fe80:0000:… to febf:ffff:… is fe80::/10 # link-local addresses
This might not exactly what you want because:
Private IPv4 addresses are defined by RFC 1918, Address Allocation for Private Internets, and the addresses are used in multiple networks all over. IPv6 ULA addresses are meant to be unique (the "U" in ULA), not to be reused in multiple places, which is the reason they are required to have 40 random bits in the Global ID, giving a high expectation of uniqueness.
All the addresses from the public Internet will be in the range from 2000:: to 3fff:ffff:ffff:ffff:ffff:ffff:ffff:ffff (2000::/3).
You need to properly mask an address to see if it is in the public range, then do the same thing for the non-public ranges in the public range. If it passes the public range test, it must fail the non-public ranges within the public range. If it passes all that, it is a public address.
IOT devices also get Global (public) IPv6 addresses. The point of IPv6 is that there are enough addresses that every interface on every device gets a Global IPv6 address, restoring the way IP was originally designed (no more NAT kludge to work around).
Some addresses internal to your webserver will be Link-Local addresses (fe80::/10), and it is possible to assign ULA addresses (fc00::/7 of which you can assign from fd00::/8 with certain limitations) for traffic that will never be allowed on the public Internet.
Example:
fdff:1234:abcd:5678:effe:9098:dcba:7654 or more explicit:
fdff:1234:abcd:5678:effe:9098:dcba:7654/128
Incomplete link list
When I came here, I did not know about:
- https://en.wikipedia.org/wiki/Private_network#Link-local_addresses
- https://en.wikipedia.org/wiki/Multicast_address (
224.0.0.0/24) - https://stackoverflow.com/a/46399203/1707015
If you're looking for system.net defaultProxy and proxy bypasslist config that uses a proxy for external but uses direct connections for internal hosts (could do with some ipv6 support)...
<system.net>
<defaultProxy enabled="true">
<proxy proxyaddress="http://proxycluster.privatedomain.net:8080" bypassonlocal="True" />
<bypasslist>
<!-- exclude local host -->
<add address="^(http|https)://localhost$" />
<!-- excludes *.privatedomain.net -->
<add address="^(http|https)://.*\.privatedomain\.net$" />
<!-- excludes simple host names -->
<add address="^(http|https)://[a-z][a-z0-9\-_]*$" />
<!-- exclude private network addresses 192.168, 172.16..31 through 31, 127.* etc. -->
<add address="^(http|https)://((((127)|(10))\.[0-9]+\.[0-9]+\.[0-9]+)|(((172\.(1[6-9]|2[0-9]|3[0-1]))|(192\.168))\.[0-9]+\.[0-9]+))$"/>
</bypasslist>
</defaultProxy>
<connectionManagement>
<add address="*" maxconnection="10" />
</connectionManagement>
</system.net>
This is the compact form of Mark Byers solution:
^(172\.(1[6-9]\.|2[0-9]\.|3[0-1]\.)|192\.168\.|10\.|127\.)
//RegEx to check for the following ranges. IPv4 only
//172.16-31.xxx.xxx
//10.xxx.xxx.xxx
//169.254.xxx.xxx
//192.168.xxx.xxx
var regex = /(^127\.)|(^(0)?10\.)|(^172\.(0)?1[6-9]\.)|(^172\.(0)?2[0-9]\.)|(^172\.(0)?3[0-1]\.)|(^169\.254\.)|(^192\.168\.)/;
You need an end separator in order to get the whole 4-th octet in case it is more than one digit.
^(10.([0-9][0-9]?|[0-1][0-9]?[0-9]?|2[0-4]?[0-9]?|25[0-5])|172.(1[6-9]|2[0-9]|3[0-1])|192.168).([0-9][0-9]?|[0-1][0-9]?[0-9]?|2[0-4]?[0-9]?|25[0-5]).([0-9][0-9]?|[0-1][0-9]?[0-9]?|2[0-4]?[0-9]?|25[0-5])$
As per https://en.wikipedia.org/wiki/Reserved_IP_addresses#IPv4, the best way to check is comparing it with IP ranges one by one. For example, JavaScript code:
/**
* Check if IPv4 is reserved
*
* Reserved IPv4
* ```
* 0.0.0.0/8 : 0.0.0.0 - 0.255.255.255
* 10.0.0.0/8 : 10.0.0.0 - 10.255.255.255
* 100.64.0.0/10 : 100.64.0.0 - 100.127.255.255
* 127.0.0.0/8 : 127.0.0.0 - 127.255.255.255
* 169.254.0.0/16 : 169.254.0.0 - 169.254.255.255
* 172.16.0.0/12 : 172.16.0.0 - 172.31.255.255
* 192.0.0.0/24 : 192.0.0.0 - 192.0.0.255
* 192.0.2.0/24 : 192.0.2.0 - 192.0.2.255
* 192.88.99.0/24 : 192.88.99.0 - 192.88.99.255
* 192.168.0.0/16 : 192.168.0.0 - 192.168.255.255
* 198.18.0.0/15 : 198.18.0.0 - 198.19.255.255
* 198.51.100.0/24 : 198.51.100.0 - 198.51.100.255
* 203.0.113.0/24 : 203.0.113.0 - 203.0.113.255
* 224.0.0.0/4 : 224.0.0.0 - 239.255.255.255
* 233.252.0.0/24 : 233.252.0.0 - 233.252.0.255
* 240.0.0.0/4 : 240.0.0.0 - 255.255.255.254
* 255.255.255.255/32: 255.255.255.255
* ```
*
* @param {string} ip
*/
function reservedIPv4(ip) {
const [a, b, c, d] = ip.split('.').map(n => +n);
if (a === 0 || a === 10 || a === 127 ) return true;
if (a === 100 && b >= 64 && b <= 127) return true;
if (a === 169 && b === 254) return true;
if (a === 172 && b >= 16 && b <= 31) return true;
if (a === 192) {
if (b === 0 && (c === 0 || c === 2)) return true;
if (b === 88 && c === 99) return true;
if (b === 168) return true;
}
if (a === 198) {
if (b >= 18 && b <= 19) return true;
if (b === 51 && c === 100) return true;
}
if (a === 203 && b === 0 && c === 113) return true;
if (a >= 224 && a <= 239) return true;
if (a === 233 && b === 252 && c === 0) return true;
if (a >= 240 && a <= 255 && d != 255) return true;
if (a === 255 && b === 255 && c === 255 && d === 255) return true;
return false;
}
FWIW this pattern was over 10% faster using pattern.matcher:
^1((0)|(92\\.168)|(72\\.((1[6-9])|(2[0-9])|(3[0-1])))|(27))\\.
加载中,请稍侯......
精彩评论