91 lines
3.3 KiB
Bash
Executable File
91 lines
3.3 KiB
Bash
Executable File
#!/bin/sh /etc/rc.common
|
|
# Copyright (C) 2016 fw867 <ffkykzs@gmail.com>
|
|
# Copyright (C) 2024 Lienol
|
|
|
|
START=99
|
|
|
|
CONFIG=weburl
|
|
ipt="iptables -w"
|
|
ip6t="ip6tables -w"
|
|
|
|
start(){
|
|
stop
|
|
ENABLED=$(uci -q get ${CONFIG}.@basic[0].enable || echo "0")
|
|
[ "${ENABLED}" != "1" ] && exit 0
|
|
ALGOS=$(uci -q get ${CONFIG}.@basic[0].algos || echo "0")
|
|
WEBURL_ALGOS="bm"
|
|
[ "${ALGOS}" = "1" ] && WEBURL_ALGOS="kmp"
|
|
|
|
# resolve interface
|
|
local interface=$(
|
|
. /lib/functions/network.sh
|
|
|
|
network_is_up "lan" && network_get_device device "lan"
|
|
echo "${device:-br-lan}"
|
|
)
|
|
|
|
$ipt -t filter -N WEBURL_REJECT
|
|
$ipt -t filter -I WEBURL_REJECT -j DROP
|
|
$ipt -t filter -I WEBURL_REJECT -p tcp -j REJECT --reject-with tcp-reset
|
|
$ipt -t filter -N WEBURL_RULES
|
|
$ipt -t filter -N WEBURL
|
|
$ipt -t filter -I WEBURL -i $interface -m length --length 53:768 -j WEBURL_RULES
|
|
# $ipt -t filter -I WEBURL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
$ipt -t filter -I FORWARD -j WEBURL
|
|
|
|
$ip6t -t filter -N WEBURL_REJECT 2>/dev/null
|
|
$ip6t -t filter -I WEBURL_REJECT -j DROP 2>/dev/null
|
|
$ip6t -t filter -I WEBURL_REJECT -p tcp -j REJECT --reject-with tcp-reset 2>/dev/null
|
|
$ip6t -t filter -N WEBURL_RULES 2>/dev/null
|
|
$ip6t -t filter -N WEBURL 2>/dev/null
|
|
$ip6t -t filter -I WEBURL -i $interface -m length --length 53:768 -j WEBURL_RULES 2>/dev/null
|
|
# $ip6t -t filter -I WEBURL -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 2>/dev/null
|
|
$ip6t -t filter -I FORWARD -j WEBURL 2>/dev/null
|
|
|
|
local items=$(uci show ${CONFIG} | grep "=macbind" | cut -d '.' -sf 2 | cut -d '=' -sf 1)
|
|
for i in $items; do
|
|
enable=$(uci -q get ${CONFIG}.${i}.enable || echo "0")
|
|
macaddr=$(uci -q get ${CONFIG}.${i}.macaddr)
|
|
timeon=$(uci -q get ${CONFIG}.${i}.timeon)
|
|
timeoff=$(uci -q get ${CONFIG}.${i}.timeoff)
|
|
keyword=$(uci -q get ${CONFIG}.${i}.keyword)
|
|
if [ "$enable" == "0" ] || [ -z "$keyword" ]; then
|
|
continue
|
|
fi
|
|
if [ -z "$timeon" ] || [ -z "$timeoff" ]; then
|
|
settime=""
|
|
else
|
|
settime="-m time --kerneltz --timestart $timeon --timestop $timeoff"
|
|
fi
|
|
|
|
if [ -z "$macaddr" ]; then
|
|
$ipt -t filter -I WEBURL_RULES $settime -m string --string "$keyword" --algo $WEBURL_ALGOS -j WEBURL_REJECT
|
|
$ip6t -t filter -I WEBURL_RULES $settime -m string --string "$keyword" --algo $WEBURL_ALGOS -j WEBURL_REJECT 2>/dev/null
|
|
else
|
|
$ipt -t filter -I WEBURL_RULES $settime -m mac --mac-source $macaddr -m string --string "$keyword" --algo $WEBURL_ALGOS -j WEBURL_REJECT
|
|
$ip6t -t filter -I WEBURL_RULES $settime -m mac --mac-source $macaddr -m string --string "$keyword" --algo $WEBURL_ALGOS -j WEBURL_REJECT 2>/dev/null
|
|
fi
|
|
unset enable macaddr timeon timeoff keyword
|
|
done
|
|
|
|
logger -t weburl "weburl filter on $interface"
|
|
}
|
|
|
|
stop(){
|
|
$ipt -t filter -D FORWARD -j WEBURL 2>/dev/null
|
|
$ipt -t filter -F WEBURL 2>/dev/null
|
|
$ipt -t filter -X WEBURL 2>/dev/null
|
|
$ipt -t filter -F WEBURL_RULES 2>/dev/null
|
|
$ipt -t filter -X WEBURL_RULES 2>/dev/null
|
|
$ipt -t filter -F WEBURL_REJECT 2>/dev/null
|
|
$ipt -t filter -X WEBURL_REJECT 2>/dev/null
|
|
|
|
$ip6t -t filter -D FORWARD -j WEBURL 2>/dev/null
|
|
$ip6t -t filter -F WEBURL 2>/dev/null
|
|
$ip6t -t filter -X WEBURL 2>/dev/null
|
|
$ip6t -t filter -F WEBURL_RULES 2>/dev/null
|
|
$ip6t -t filter -X WEBURL_RULES 2>/dev/null
|
|
$ip6t -t filter -F WEBURL_REJECT 2>/dev/null
|
|
$ip6t -t filter -X WEBURL_REJECT 2>/dev/null
|
|
}
|