diff --git a/urlfilter/Makefile b/urlfilter/Makefile index e4adfca11..fa3339b94 100644 --- a/urlfilter/Makefile +++ b/urlfilter/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=urlfilter -PKG_VERSION:=2.0.0 +PKG_VERSION:=2.0.1 LOCAL_DEV:=0 ifneq ($(LOCAL_DEV),1) @@ -44,13 +44,20 @@ endif define Package/urlfilter/install $(INSTALL_DIR) $(1)/usr/sbin - $(INSTALL_DIR) $(1)/etc/config - $(INSTALL_DIR) $(1)/etc/init.d - $(INSTALL_DIR) $(1)/etc/uci-defaults - $(INSTALL_DIR) $(1)/etc/urlfilter $(INSTALL_BIN) $(PKG_BUILD_DIR)/urlfilter $(1)/usr/sbin + + $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/etc/init.d/urlfilter $(1)/etc/init.d/ + + $(INSTALL_DIR) $(1)/etc/config $(INSTALL_DATA) ./files/etc/config/urlfilter $(1)/etc/config/ + + $(INSTALL_DIR) $(1)/etc/ + $(INSTALL_DATA) ./files/etc/firewall.urlfilter $(1)/etc/ + + $(INSTALL_DIR) $(1)/etc/uci-defaults + $(INSTALL_DATA) ./files/etc/uci-defaults/95-urlfilter_add_firewall_rule $(1)/etc/uci-defaults + $(BBFDM_INSTALL_MS_DM) ./files/etc/urlfilter/urlfilter.json $(1) $(PKG_NAME) endef diff --git a/urlfilter/files/etc/firewall.urlfilter b/urlfilter/files/etc/firewall.urlfilter new file mode 100644 index 000000000..cdfaaff79 --- /dev/null +++ b/urlfilter/files/etc/firewall.urlfilter @@ -0,0 +1,31 @@ + +iptables -w -nL FORWARD|grep -iqE "NFQUEUE" +if [ "$?" -ne 0 ]; then + # setup netfilter queue 0, use queue bypass so that if no application is + # listening to this queue then traffic is unaffected. + iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + + iptables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + iptables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + + # disable acceleration for https packet so that they can be read by urlfilter + ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null + ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null + ebtables --concurrent -A FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null +fi + +ip6tables -w -nL FORWARD|grep -iqE "NFQUEUE" +if [ "$?" -ne 0 ]; then + #ip6table rules + ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + + ip6tables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + ip6tables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + + # disable acceleration for https packet so that they can be read by urlfilter + ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null + ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null + ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53 -j SKIPLOG 2> /dev/null +fi diff --git a/urlfilter/files/etc/init.d/urlfilter b/urlfilter/files/etc/init.d/urlfilter index 50b370737..73ede5c6e 100755 --- a/urlfilter/files/etc/init.d/urlfilter +++ b/urlfilter/files/etc/init.d/urlfilter @@ -7,44 +7,9 @@ USE_PROCD=1 NAME=urlfilter PROG=/usr/sbin/urlfilter -configure_firewall() -{ - iptables -w -nL FORWARD|grep -iqE "NFQUEUE" - if [ "$?" -ne 0 ]; then - # setup netfilter queue 0, use queue bypass so that if no application is - # listening to this queue then traffic is unaffected. - iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - - iptables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - iptables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - - # disable acceleration for https packet so that they can be read by urlfilter - ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null - ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null - ebtables --concurrent -A FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null - fi - ip6tables -w -nL FORWARD|grep -iqE "NFQUEUE" - if [ "$?" -ne 0 ]; then - #ip6table rules - ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - - ip6tables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - ip6tables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - - # disable acceleration for https packet so that they can be read by urlfilter - ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null - ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null - ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53 -j SKIPLOG 2> /dev/null - fi - -} - start_service() { if [ "$(uci -q get urlfilter.globals.enable)" == "1" ]; then - configure_firewall procd_open_instance urlfilter procd_set_param command ${PROG} procd_set_param respawn @@ -59,40 +24,11 @@ start_service() { fi } -stop_service() { - iptables -w -nL FORWARD|grep -iqE "NFQUEUE" - if [ "$?" -eq 0 ]; then - iptables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - iptables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - - iptables -w -D INPUT -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - iptables -w -D INPUT -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - - ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null - ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null - ebtables --concurrent -D FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null - fi - ip6tables -w -nL FORWARD|grep -iqE "NFQUEUE" - if [ "$?" -eq 0 ]; then - #ip6table rules - ip6tables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - ip6tables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - - ip6tables -w -D INPUT -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - ip6tables -w -D INPUT -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - - ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null - ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null - ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53 -j SKIPLOG 2> /dev/null - fi -} reload_service() { stop start } - service_triggers() { procd_add_reload_trigger "urlfilter" - procd_add_reload_trigger "firewall" } diff --git a/urlfilter/files/etc/uci-defaults/95-urlfilter_add_firewall_rule b/urlfilter/files/etc/uci-defaults/95-urlfilter_add_firewall_rule new file mode 100644 index 000000000..238e54121 --- /dev/null +++ b/urlfilter/files/etc/uci-defaults/95-urlfilter_add_firewall_rule @@ -0,0 +1,11 @@ +#!/bin/sh + + +if uci -q get firewall.urlfilter >/dev/null; then + exit +fi + +uci set firewall.urlfilter=include +uci set firewall.urlfilter.reload=1 +uci set firewall.urlfilter.path=/etc/firewall.urlfilter +uci commit firewall