109 lines
2.7 KiB
Bash
Executable File
109 lines
2.7 KiB
Bash
Executable File
#!/bin/sh /etc/rc.common
|
|
#
|
|
# Copyright (C) 2015 OpenWrt-dist
|
|
# Copyright (C) 2016 fw867 <ffkykzs@gmail.com>
|
|
#
|
|
# This is free software, licensed under the GNU General Public License v3.
|
|
# See /LICENSE for more information.
|
|
#
|
|
|
|
START=99
|
|
|
|
WEBURL_ENABLE=0
|
|
WEBURL_ALGOS=
|
|
|
|
is_true() {
|
|
case $1 in
|
|
1|on|true|yes|enabled) echo 0;;
|
|
*) echo 1;;
|
|
esac
|
|
}
|
|
|
|
get_algo_mode(){
|
|
if [ "x$1" = "x1" ]; then
|
|
echo "kmp"
|
|
else
|
|
echo "bm"
|
|
fi
|
|
}
|
|
|
|
iptables_w(){
|
|
iptables -w 1 "$@"
|
|
}
|
|
|
|
add_rule(){
|
|
local settime
|
|
local macaddr
|
|
local enable
|
|
local timeon
|
|
local timeoff
|
|
local keyword
|
|
config_get enable "$1" enable "0"
|
|
config_get macaddr "$1" macaddr
|
|
config_get timeon "$1" timeon
|
|
config_get timeoff "$1" timeoff
|
|
config_get keyword "$1" keyword
|
|
|
|
if [ -z "$enable" ] || [ $enable = 0 ] || [ -z "$keyword" ]; then
|
|
return
|
|
fi
|
|
|
|
if [ -z "$timeon" ] || [ -z "$timeoff" ]; then
|
|
settime=""
|
|
else
|
|
settime="-m time --kerneltz --timestart $timeon --timestop $timeoff"
|
|
fi
|
|
|
|
if [ -z $macaddr ]; then
|
|
iptables_w -t filter -I WEBURL_RULES $settime -m string --string "$keyword" --algo $WEBURL_ALGOS -j WEBURL_REJECT
|
|
else
|
|
iptables_w -t filter -I WEBURL_RULES $settime -m mac --mac-source $macaddr -m string --string "$keyword" --algo $WEBURL_ALGOS -j WEBURL_REJECT
|
|
fi
|
|
|
|
}
|
|
|
|
weburl_header() {
|
|
local algos
|
|
config_get WEBURL_ENABLE "$1" enable "0"
|
|
config_get algos "$1" algos "0"
|
|
WEBURL_ALGOS=$(get_algo_mode $algos)
|
|
}
|
|
|
|
start(){
|
|
config_load weburl
|
|
config_foreach weburl_header basic
|
|
[ "x`is_true $WEBURL_ENABLE`" = "x0" ] || return 0
|
|
iptables_w -L FORWARD | grep -c WEBURL 2>/dev/null && [ $? -eq 0 ] && return 0;
|
|
# resolve interface
|
|
local interface=$(
|
|
. /lib/functions/network.sh
|
|
|
|
network_is_up "lan" && network_get_device device "lan"
|
|
echo "${device:-br-lan}"
|
|
)
|
|
iptables_w -t filter -N WEBURL_REJECT
|
|
iptables_w -t filter -F WEBURL_REJECT
|
|
iptables_w -t filter -I WEBURL_REJECT -j DROP
|
|
iptables_w -t filter -I WEBURL_REJECT -p tcp -j REJECT --reject-with tcp-reset
|
|
iptables_w -t filter -N WEBURL_RULES
|
|
iptables_w -t filter -F WEBURL_RULES
|
|
config_foreach add_rule macbind
|
|
iptables_w -t filter -N WEBURL
|
|
iptables_w -t filter -F WEBURL
|
|
iptables_w -t filter -I WEBURL -i $interface -m length --length 53:768 -j WEBURL_RULES
|
|
# iptables_w -t filter -I WEBURL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
iptables_w -t filter -I FORWARD -m comment --comment "Rule For Control" -j WEBURL
|
|
logger -t weburl "weburl filter on $interface"
|
|
}
|
|
|
|
stop(){
|
|
iptables_w -t filter -D FORWARD -m comment --comment "Rule For Control" -j WEBURL
|
|
iptables_w -t filter -F WEBURL
|
|
iptables_w -t filter -X WEBURL
|
|
iptables_w -t filter -F WEBURL_RULES
|
|
iptables_w -t filter -X WEBURL_RULES
|
|
iptables_w -t filter -F WEBURL_REJECT
|
|
iptables_w -t filter -X WEBURL_REJECT
|
|
}
|
|
|