From b8ebda638cec07c5e3a2f0dd9aeabacbfd76cbe7 Mon Sep 17 00:00:00 2001 From: Mohd Husaam Mehdi Date: Wed, 12 Mar 2025 20:19:29 +0530 Subject: [PATCH] parentalcontrol: do not add rule for web traffic directed to self * this is not necessary for the functioning of urlfilter, only DNS traffic directed towards the device should be intercepted * secondly, this is causing problems sometimes where DNS and HTTP traffic cannot flow if a large file (9MB tested) is downloaded from the device (for example, a urlbundle file), the reason for this is not known yet, but the fix is to not intercept web traffic directed to the DUT --- .../files/lib/parentalcontrol/parentalcontrol.sh | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/parental-control/files/lib/parentalcontrol/parentalcontrol.sh b/parental-control/files/lib/parentalcontrol/parentalcontrol.sh index 7d1db7cfb..07df93faf 100644 --- a/parental-control/files/lib/parentalcontrol/parentalcontrol.sh +++ b/parental-control/files/lib/parentalcontrol/parentalcontrol.sh @@ -442,8 +442,8 @@ add_iptables_nfqueue_rules() { iptables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass iptables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - iptables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - iptables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + iptables -w -I INPUT 1 -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass + iptables -w -I INPUT 1 -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass # disable acceleration for https packet so that they can be read by urlfilter ebtables --concurrent -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null @@ -457,8 +457,8 @@ add_iptables_nfqueue_rules() { ip6tables -w -I FORWARD 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass ip6tables -w -I FORWARD 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - ip6tables -w -I INPUT 1 -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - ip6tables -w -I INPUT 1 -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + ip6tables -w -I INPUT 1 -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass + ip6tables -w -I INPUT 1 -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass # disable acceleration for https packet so that they can be read by urlfilter ebtables --concurrent -A FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null @@ -473,8 +473,8 @@ remove_iptables_nfqueue_rules() { iptables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass iptables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - iptables -w -D INPUT -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - iptables -w -D INPUT -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + iptables -w -D INPUT -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass + iptables -w -D INPUT -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG 2> /dev/null ebtables --concurrent -D FORWARD -p ip --ip-protocol 6 --ip-source-port 53 -j SKIPLOG 2> /dev/null @@ -486,8 +486,8 @@ remove_iptables_nfqueue_rules() { ip6tables -w -D FORWARD -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass ip6tables -w -D FORWARD -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - ip6tables -w -D INPUT -p tcp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass - ip6tables -w -D INPUT -p udp --match multiport --ports 80,443,53 -j NFQUEUE --queue-num 0 --queue-bypass + ip6tables -w -D INPUT -p tcp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass + ip6tables -w -D INPUT -p udp --match multiport --ports 53 -j NFQUEUE --queue-num 0 --queue-bypass ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-destination-port 443 -j SKIPLOG 2> /dev/null ebtables --concurrent -D FORWARD -p ip6 --ip6-protocol 6 --ip6-source-port 53 -j SKIPLOG 2> /dev/null