mirror of
https://dev.iopsys.eu/feed/iopsys.git
synced 2025-12-10 07:44:50 +01:00
urlfilter: fix connection flush on firewall reload
This commit is contained in:
Rahul Thakur
parent
903ff637e7
commit
54503f98d4
4 changed files with 54 additions and 69 deletions
|
|
@ -5,7 +5,7 @@
|
||||||
include $(TOPDIR)/rules.mk
|
include $(TOPDIR)/rules.mk
|
||||||
|
|
||||||
PKG_NAME:=urlfilter
|
PKG_NAME:=urlfilter
|
||||||
PKG_VERSION:=2.0.0
|
PKG_VERSION:=2.0.1
|
||||||
|
|
||||||
LOCAL_DEV:=0
|
LOCAL_DEV:=0
|
||||||
ifneq ($(LOCAL_DEV),1)
|
ifneq ($(LOCAL_DEV),1)
|
||||||
|
|
@ -44,13 +44,20 @@ endif
|
||||||
|
|
||||||
define Package/urlfilter/install
|
define Package/urlfilter/install
|
||||||
$(INSTALL_DIR) $(1)/usr/sbin
|
$(INSTALL_DIR) $(1)/usr/sbin
|
||||||
$(INSTALL_DIR) $(1)/etc/config
|
|
||||||
$(INSTALL_DIR) $(1)/etc/init.d
|
|
||||||
$(INSTALL_DIR) $(1)/etc/uci-defaults
|
|
||||||
$(INSTALL_DIR) $(1)/etc/urlfilter
|
|
||||||
$(INSTALL_BIN) $(PKG_BUILD_DIR)/urlfilter $(1)/usr/sbin
|
$(INSTALL_BIN) $(PKG_BUILD_DIR)/urlfilter $(1)/usr/sbin
|
||||||
|
|
||||||
|
$(INSTALL_DIR) $(1)/etc/init.d
|
||||||
$(INSTALL_BIN) ./files/etc/init.d/urlfilter $(1)/etc/init.d/
|
$(INSTALL_BIN) ./files/etc/init.d/urlfilter $(1)/etc/init.d/
|
||||||
|
|
||||||
|
$(INSTALL_DIR) $(1)/etc/config
|
||||||
$(INSTALL_DATA) ./files/etc/config/urlfilter $(1)/etc/config/
|
$(INSTALL_DATA) ./files/etc/config/urlfilter $(1)/etc/config/
|
||||||
|
|
||||||
|
$(INSTALL_DIR) $(1)/etc/
|
||||||
|
$(INSTALL_DATA) ./files/etc/firewall.urlfilter $(1)/etc/
|
||||||
|
|
||||||
|
$(INSTALL_DIR) $(1)/etc/uci-defaults
|
||||||
|
$(INSTALL_DATA) ./files/etc/uci-defaults/95-urlfilter_add_firewall_rule $(1)/etc/uci-defaults
|
||||||
|
|
||||||
$(BBFDM_INSTALL_MS_DM) ./files/etc/urlfilter/urlfilter.json $(1) $(PKG_NAME)
|
$(BBFDM_INSTALL_MS_DM) ./files/etc/urlfilter/urlfilter.json $(1) $(PKG_NAME)
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
|
|
||||||
31
urlfilter/files/etc/firewall.urlfilter
Normal file
31
urlfilter/files/etc/firewall.urlfilter
Normal file
|
|
@ -0,0 +1,31 @@
|
||||||
|
|
||||||
|
iptables -w -nL FORWARD|grep -iqE "NFQUEUE"
|
||||||
|
if [ "$?" -ne 0 ]; then
|
||||||
|
# setup netfilter queue 0, use queue bypass so that if no application is
|
||||||
|
# listening to this queue then traffic is unaffected.
|
||||||
|
iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
||||||
|
iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
||||||
|
|
||||||
|
iptables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
||||||
|
iptables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
||||||
|
|
||||||
|
# disable acceleration for https packet so that they can be read by urlfilter
|
||||||
|
ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
|
||||||
|
ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null
|
||||||
|
ebtables --concurrent -A FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
|
ip6tables -w -nL FORWARD|grep -iqE "NFQUEUE"
|
||||||
|
if [ "$?" -ne 0 ]; then
|
||||||
|
#ip6table rules
|
||||||
|
ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
||||||
|
ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
||||||
|
|
||||||
|
ip6tables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
||||||
|
ip6tables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
||||||
|
|
||||||
|
# disable acceleration for https packet so that they can be read by urlfilter
|
||||||
|
ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
|
||||||
|
ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
|
||||||
|
ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
|
||||||
|
fi
|
||||||
|
|
@ -7,44 +7,9 @@ USE_PROCD=1
|
||||||
NAME=urlfilter
|
NAME=urlfilter
|
||||||
PROG=/usr/sbin/urlfilter
|
PROG=/usr/sbin/urlfilter
|
||||||
|
|
||||||
configure_firewall()
|
|
||||||
{
|
|
||||||
iptables -w -nL FORWARD|grep -iqE "NFQUEUE"
|
|
||||||
if [ "$?" -ne 0 ]; then
|
|
||||||
# setup netfilter queue 0, use queue bypass so that if no application is
|
|
||||||
# listening to this queue then traffic is unaffected.
|
|
||||||
iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
|
|
||||||
iptables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
iptables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
|
|
||||||
# disable acceleration for https packet so that they can be read by urlfilter
|
|
||||||
ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
|
|
||||||
ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null
|
|
||||||
ebtables --concurrent -A FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
|
|
||||||
fi
|
|
||||||
ip6tables -w -nL FORWARD|grep -iqE "NFQUEUE"
|
|
||||||
if [ "$?" -ne 0 ]; then
|
|
||||||
#ip6table rules
|
|
||||||
ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
|
|
||||||
ip6tables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
ip6tables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
|
|
||||||
# disable acceleration for https packet so that they can be read by urlfilter
|
|
||||||
ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
|
|
||||||
ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
|
|
||||||
ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
|
|
||||||
fi
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
start_service() {
|
start_service() {
|
||||||
|
|
||||||
if [ "$(uci -q get urlfilter.globals.enable)" == "1" ]; then
|
if [ "$(uci -q get urlfilter.globals.enable)" == "1" ]; then
|
||||||
configure_firewall
|
|
||||||
procd_open_instance urlfilter
|
procd_open_instance urlfilter
|
||||||
procd_set_param command ${PROG}
|
procd_set_param command ${PROG}
|
||||||
procd_set_param respawn
|
procd_set_param respawn
|
||||||
|
|
@ -59,40 +24,11 @@ start_service() {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
stop_service() {
|
|
||||||
iptables -w -nL FORWARD|grep -iqE "NFQUEUE"
|
|
||||||
if [ "$?" -eq 0 ]; then
|
|
||||||
iptables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
iptables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
|
|
||||||
iptables -w -D INPUT -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
iptables -w -D INPUT -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
|
|
||||||
ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
|
|
||||||
ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null
|
|
||||||
ebtables --concurrent -D FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
|
|
||||||
fi
|
|
||||||
ip6tables -w -nL FORWARD|grep -iqE "NFQUEUE"
|
|
||||||
if [ "$?" -eq 0 ]; then
|
|
||||||
#ip6table rules
|
|
||||||
ip6tables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
ip6tables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
|
|
||||||
ip6tables -w -D INPUT -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
ip6tables -w -D INPUT -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
|
|
||||||
|
|
||||||
ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
|
|
||||||
ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
|
|
||||||
ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 17 --ip6-source-port 53 -j SKIPLOG 2> /dev/null
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
reload_service() {
|
reload_service() {
|
||||||
stop
|
stop
|
||||||
start
|
start
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
service_triggers() {
|
service_triggers() {
|
||||||
procd_add_reload_trigger "urlfilter"
|
procd_add_reload_trigger "urlfilter"
|
||||||
procd_add_reload_trigger "firewall"
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
|
||||||
|
if uci -q get firewall.urlfilter >/dev/null; then
|
||||||
|
exit
|
||||||
|
fi
|
||||||
|
|
||||||
|
uci set firewall.urlfilter=include
|
||||||
|
uci set firewall.urlfilter.reload=1
|
||||||
|
uci set firewall.urlfilter.path=/etc/firewall.urlfilter
|
||||||
|
uci commit firewall
|
||||||
Loading…
Add table
Reference in a new issue