From 9b79eb42db14be35e5cb355c291408869de78666 Mon Sep 17 00:00:00 2001
From: Mohd Husaam Mehdi <husaam.mehdi@iopsys.eu>
Date: Wed, 27 Aug 2025 14:05:47 +0530
Subject: [PATCH] parental-control: improve packet capture rules for DNS

---
 .../lib/parentalcontrol/parentalcontrol.sh    | 83 +++++++++++++------
 1 file changed, 57 insertions(+), 26 deletions(-)

diff --git a/parental-control/files/lib/parentalcontrol/parentalcontrol.sh b/parental-control/files/lib/parentalcontrol/parentalcontrol.sh
index 8d51f2b3f..d9d629e5c 100644
--- a/parental-control/files/lib/parentalcontrol/parentalcontrol.sh
+++ b/parental-control/files/lib/parentalcontrol/parentalcontrol.sh
@@ -441,19 +441,28 @@ add_iptables_nfqueue_rules() {
 	local filter_used
 
 	# Check if urlfilter used
-	if ! uci show parentalcontrol |grep -q profile_urlfilter; then
+	if ! uci show parentalcontrol | grep -q profile_urlfilter; then
 		return
 	fi
 
-	iptables -w -nL FORWARD|grep -iqE "NFQUEUE"
+	# IPv4 rules
+	iptables -w -nL FORWARD | grep -iqE "NFQUEUE"
 	if [ "$?" -ne 0 ]; then
-		# setup netfilter queue 0, use queue bypass so that if no application is
-		# listening to this queue then traffic is unaffected.
-		iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
+		# capture DNS responses (UDP/TCP sport 53) in FORWARD
+		iptables -w -I FORWARD 1 -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -I FORWARD 1 -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
 
-		iptables -w -I INPUT 1 -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -I INPUT 1 -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		# INPUT: DNS replies to router, skip loopback
+		iptables -w -I INPUT 1 -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -I INPUT 1 -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# OUTPUT: DNS replies from router, skip loopback
+		iptables -w -I OUTPUT 1 -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -I OUTPUT 1 -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# HTTP/HTTPS flows for urlfilter
+		iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		# disable acceleration for https packet so that they can be read by urlfilter
 		ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
@@ -461,14 +470,24 @@ add_iptables_nfqueue_rules() {
 		ebtables --concurrent -A FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
 	fi
 
-	ip6tables -w -nL FORWARD|grep -iqE "NFQUEUE"
+	# IPv6 rules
+	ip6tables -w -nL FORWARD | grep -iqE "NFQUEUE"
 	if [ "$?" -ne 0 ]; then
-		#ip6table rules
-		ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
+		# capture DNS responses (UDP/TCP sport 53) in FORWARD
+		ip6tables -w -I FORWARD 1 -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -I FORWARD 1 -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
 
-		ip6tables -w -I INPUT 1 -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -I INPUT 1 -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		# INPUT: DNS replies to router, skip loopback
+		ip6tables -w -I INPUT 1 -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -I INPUT 1 -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# OUTPUT: DNS replies from router, skip loopback
+		ip6tables -w -I OUTPUT 1 -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -I OUTPUT 1 -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# HTTP/HTTPS flows for urlfilter
+		ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		# disable acceleration for https packet so that they can be read by urlfilter
 		ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
@@ -478,26 +497,38 @@ add_iptables_nfqueue_rules() {
 }
 
 remove_iptables_nfqueue_rules() {
-	iptables -w -nL FORWARD|grep -iqE "NFQUEUE"
+	iptables -w -nL FORWARD | grep -iqE "NFQUEUE"
 	if [ "$?" -eq 0 ]; then
-		iptables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
+		# DNS response rules
+		iptables -w -D FORWARD -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D FORWARD -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D INPUT  -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D INPUT  -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D OUTPUT -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D OUTPUT -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
 
-		iptables -w -D INPUT -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		iptables -w -D INPUT -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		# HTTP/HTTPS
+		iptables -w -D FORWARD -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+		iptables -w -D FORWARD -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null
 		ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null
 		ebtables --concurrent -D FORWARD -p ip --ip-protocol 17 --ip-source-port 53 -j SKIPLOG 2> /dev/null
 	fi
-	ip6tables -w -nL FORWARD|grep -iqE "NFQUEUE"
-	if [ "$?" -eq 0 ]; then
-		#ip6table rules
-		ip6tables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass
 
-		ip6tables -w -D INPUT -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
-		ip6tables -w -D INPUT -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass
+	ip6tables -w -nL FORWARD | grep -iqE "NFQUEUE"
+	if [ "$?" -eq 0 ]; then
+		# DNS response rules
+		ip6tables -w -D FORWARD -p tcp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D FORWARD -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D INPUT  -p tcp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D INPUT  -p udp --sport 53 ! -i lo -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D OUTPUT -p tcp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D OUTPUT -p udp --sport 53 ! -o lo -j NFQUEUE --queue-num 0 --queue-bypass
+
+		# HTTP/HTTPS
+		ip6tables -w -D FORWARD -p tcp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
+		ip6tables -w -D FORWARD -p udp --match multiport --ports 80,443 -j NFQUEUE --queue-num 0 --queue-bypass
 
 		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null
 		ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null