mirror/iopsys-feed
1
0
Fork 0
mirror of https://dev.iopsys.eu/feed/iopsys.git synced 2025-12-10 07:44:50 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

urlfilter: update makefile and fix https filtering

Browse source 
* make use of conntrack to flush exiting tcp connection
* update init file to
    * not accelerate https packets so that they are can be trapped
      by urlfilter daemon
    * flush connections when daemon reloaded
    * make firewall rules more secure
This commit is contained in:
Rahul 2021-05-27 18:53:01 +05:30
parent fdabc69dfa
commit c3eeb956d9
2 changed files with 28 additions and 25 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
urlfilter/Makefile
View file

@ -14,6 +14,7 @@ PKG_SOURCE_PROTO:=git
PKG_SOURCE_VERSION:=891e8d36446c0b1e7999c5798375985b1804fcf1
PKG_SOURCE_URL:=https://dev.iopsys.eu/iopsys/urlfilter.git
PKG_SOURCE:=$(PKG_NAME)-$(PKG_SOURCE_VERSION).tar.gz
PKG_MIRROR_HASH:=skip
endif
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
@ -26,7 +27,7 @@ define Package/urlfilter
SECTION:=utils
CATEGORY:=Utilities
TITLE:=URL filter
DEPENDS:=+libuci +libnetfilter-queue +libnfnetlink +iptables-mod-nfqueue +libpthread +libubox +ubus
DEPENDS:=+libuci +libnetfilter-queue +libnfnetlink +iptables-mod-nfqueue +libpthread +libubox +ubus +conntrack
endef
define Package/urlfilter/description

50
urlfilter/files/etc/init.d/urlfilter
View file

@ -9,13 +9,17 @@ PROG=/usr/sbin/urlfilter
configure_firewall()
{
iptables -L FORWARD|grep -iqE "NFQUEUE"
iptables -w -L FORWARD|grep -iqE "NFQUEUE"
if [ "$?" -ne 0 ]; then
echo "Applying firewall rule to setup NFQUEUE on forward traffic for urlfiltering"
iptables -I FORWARD 1 -p tcp --dport 80 -j NFQUEUE --queue-num 0
iptables -I FORWARD 2 -p tcp --dport 443 -j NFQUEUE --queue-num 0
iptables -I INPUT 1 -p udp --dport 53 -j NFQUEUE --queue-num 0
iptables -I INPUT 2 -p udp --sport 53 -j NFQUEUE --queue-num 0
# setup netfilter queue 0, use queue bypass so that if no application is
# listening to this queue then traffic is unaffected.
iptables -w -I FORWARD 1 -p tcp --dport 80 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -w -I FORWARD 2 -p tcp --dport 443 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -w -I INPUT 1 -p udp --dport 53 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -w -I INPUT 2 -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
# disable acceleration for https packet so that they can be read by urlfilter
ebtables -A FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG
fi
}
@ -27,33 +31,31 @@ start_service() {
procd_set_param respawn
procd_close_instance
fi
}
stop_service() {
pidof $NAME >/dev/null
if [ "$?" -eq 0 ]; then
pidof $NAME > /dev/null 2>&1 && killall -q $NAME
pidof $NAME > /dev/null 2>&1
while pidof $NAME > /dev/null 2>&1; do
killall -q -9 $NAME
done
fi
iptables -L FORWARD|grep -iqE "NFQUEUE"
if [ "$?" -eq 0 ]; then
echo "Deleting firewall rule to setup NFQUEUE on forward traffic for urlfiltering"
iptables -D FORWARD -p tcp --dport 80 -j NFQUEUE --queue-num 0
iptables -D FORWARD -p tcp --dport 443 -j NFQUEUE --queue-num 0
iptables -D INPUT -p udp --dport 53 -j NFQUEUE --queue-num 0
iptables -D INPUT -p udp --sport 53 -j NFQUEUE --queue-num 0
# Now flush the existing connections, otherwise, urlfiltering cannot be performed
# on already open sites.
if [ -n "$(which conntrack)" ]; then
sleep 5
conntrack -F
fi
}
stop_service() {
iptables -w -L FORWARD|grep -iqE "NFQUEUE"
if [ "$?" -eq 0 ]; then
iptables -w -D FORWARD -p tcp --dport 80 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -w -D FORWARD -p tcp --dport 443 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -w -D INPUT -p udp --dport 53 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -w -D INPUT -p udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
ebtables -D FORWARD -p ip --ip-protocol 6 --ip-destination-port 443 -j SKIPLOG
fi
}
reload_service() {
stop
start
}
service_triggers() {
procd_add_reload_trigger "urlfilter"
procd_add_reload_trigger "firewall"