From 86278821c1fc53f7276a726294e1cfa72a548686 Mon Sep 17 00:00:00 2001 From: nvenka781 Date: Wed, 22 Oct 2025 20:38:40 +0000 Subject: [PATCH 1/5] Adding rule for handling https keyword filtering --- source/firewall/firewall.c | 46 +++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 0cb72caf..4b9dd1d4 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -9311,9 +9311,49 @@ static int do_parcon_mgmt_site_keywd(FILE *fp, FILE *nat_fp, int iptype, FILE *c } else if (strncasecmp(method, "KEYWD", 5)==0) { - // consider the case that user input whole url. - if(strstr(query, "://") != 0) { - fprintf(fp, "-A lan2wan_pc_site -m string --string \"%s\" --algo kmp --icase -j %s\n", strstr(query, "://") + 3, drop_log); + const char *keyword = NULL; + char hostStr[] = "Host:"; + int range_max = 1024; //max payload bytes to filter + int range_incr = 64; //byte ranges to filter + + // Extract keyword if user input is a full URL + if (strstr(query, "://") != NULL) { + keyword = strstr(query, "://") + 3; + } else { + keyword = query; + } + + if (keyword == NULL || strlen(keyword) == 0) { + fprintf(stderr, "Warning: Empty keyword, skipping rule generation.\n"); + return(0); + } + + // Create rules for various ranges of payload to filter + int from; + for (from = 0; from < range_max; from += range_incr) { + int to = from + range_incr; + char chainName[64]; + + // Create new chain LOG_SiteBlocked_check_kw__ + snprintf(chainName, sizeof(chainName), "LOG_SiteBlocked_check_kw_%d_%d", from, to); + fprintf(fp, "-N %s\n", chainName); + + // Add rule to jump to private chain if "Host:" is found in this offset range + fprintf(fp, "-A lan2wan_pc_site -p tcp --dport 80 -m string --string \"%s\" --algo kmp --from %d --to %d --icase -j %s\n", + hostStr, from, to, chainName); + + // Add rule to match keyword in private chain within same offset range + fprintf(fp, "-A %s -m string --string \"%s\" --algo kmp --from %d --to %d --icase -j %s\n", + chainName, keyword, from, to, drop_log); + + // Default rule to return if not matched + fprintf(fp, "-A %s -j RETURN\n", chainName); + } + + // Add rule for https filter + fprintf(fp, "-A lan2wan_pc_site -p tcp --dport 443 -m string --string \"%s\" --algo kmp --icase -j %s\n", + keyword, drop_log); + #if defined(_HUB4_PRODUCT_REQ_) || defined (_RDKB_GLOBAL_PRODUCT_REQ_) #if defined (_RDKB_GLOBAL_PRODUCT_REQ_) if( 0 == strncmp( devicePartnerId, "sky-", 4 ) ) From 77fe72633adb46f47963bdfdd5eb6b901e9168a4 Mon Sep 17 00:00:00 2001 From: nvenka781 Date: Wed, 22 Oct 2025 22:07:24 +0000 Subject: [PATCH 2/5] Corrected cherry-pick rebase --- source/firewall/firewall.c | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 4b9dd1d4..2a7adf26 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -9356,25 +9356,14 @@ static int do_parcon_mgmt_site_keywd(FILE *fp, FILE *nat_fp, int iptype, FILE *c #if defined(_HUB4_PRODUCT_REQ_) || defined (_RDKB_GLOBAL_PRODUCT_REQ_) #if defined (_RDKB_GLOBAL_PRODUCT_REQ_) - if( 0 == strncmp( devicePartnerId, "sky-", 4 ) ) + if( 0 == strncmp( devicePartnerId, "sky-", 4 ) ) #endif - { - //In Hub4 keyword blocking feature is not working with FORWARD chain rules as CPE (dnsmasq) acts as DNS Proxy. - //Add rules in INPUT chain to resolve this issue. - fprintf(fp, "-I INPUT -i %s -j lan2wan_pc_site \n", lan_ifname); - } -#endif - } else { - fprintf(fp, "-A lan2wan_pc_site -m string --string \"%s\" --algo kmp --icase -j %s\n", query, drop_log); -#if defined(_HUB4_PRODUCT_REQ_) || defined (_RDKB_GLOBAL_PRODUCT_REQ_) -#if defined (_RDKB_GLOBAL_PRODUCT_REQ_) - if( 0 == strncmp( devicePartnerId, "sky-", 4 ) ) -#endif - { - fprintf(fp, "-I INPUT -i %s -j lan2wan_pc_site \n", lan_ifname); - } + { + //In Hub4 keyword blocking feature is not working with FORWARD chain rules as CPE (dnsmasq) acts as DNS Proxy. + //Add rules in INPUT chain to resolve this issue. + fprintf(fp, "-I INPUT -i %s -j lan2wan_pc_site \n", lan_ifname); + } #endif - } } } } From 015405e1fb33219115a51f5ebcdd1ac4fe545416 Mon Sep 17 00:00:00 2001 From: nvenka781 Date: Wed, 29 Oct 2025 04:46:27 +0000 Subject: [PATCH 3/5] Change add new chain to iptables-save file format --- source/firewall/firewall.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 2a7adf26..8bb56285 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -9312,15 +9312,14 @@ static int do_parcon_mgmt_site_keywd(FILE *fp, FILE *nat_fp, int iptype, FILE *c else if (strncasecmp(method, "KEYWD", 5)==0) { const char *keyword = NULL; - char hostStr[] = "Host:"; int range_max = 1024; //max payload bytes to filter - int range_incr = 64; //byte ranges to filter + int range_multiplier = 2; // Extract keyword if user input is a full URL if (strstr(query, "://") != NULL) { keyword = strstr(query, "://") + 3; } else { - keyword = query; + keyword = query; } if (keyword == NULL || strlen(keyword) == 0) { @@ -9329,18 +9328,18 @@ static int do_parcon_mgmt_site_keywd(FILE *fp, FILE *nat_fp, int iptype, FILE *c } // Create rules for various ranges of payload to filter - int from; - for (from = 0; from < range_max; from += range_incr) { - int to = from + range_incr; - char chainName[64]; + int from,to; + for ( from = 0, to = 64; from < range_max; from = to, to *= range_multiplier ) + { + char chainName[30]; // linux chainname length is max 29 chars - // Create new chain LOG_SiteBlocked_check_kw__ - snprintf(chainName, sizeof(chainName), "LOG_SiteBlocked_check_kw_%d_%d", from, to); - fprintf(fp, "-N %s\n", chainName); + // Create new chain + snprintf(chainName, sizeof(chainName), "LOG_SiteBlk_KW_%d_%d", from, to); + fprintf(fp, ":%s - [0:0]\n", chainName); // Add rule to jump to private chain if "Host:" is found in this offset range - fprintf(fp, "-A lan2wan_pc_site -p tcp --dport 80 -m string --string \"%s\" --algo kmp --from %d --to %d --icase -j %s\n", - hostStr, from, to, chainName); + fprintf(fp, "-A lan2wan_pc_site -p tcp --dport 80 -m string --string \"Host:\" --algo kmp --from %d --to %d --icase -j %s\n", + from, to, chainName); // Add rule to match keyword in private chain within same offset range fprintf(fp, "-A %s -m string --string \"%s\" --algo kmp --from %d --to %d --icase -j %s\n", @@ -9358,11 +9357,11 @@ static int do_parcon_mgmt_site_keywd(FILE *fp, FILE *nat_fp, int iptype, FILE *c #if defined (_RDKB_GLOBAL_PRODUCT_REQ_) if( 0 == strncmp( devicePartnerId, "sky-", 4 ) ) #endif - { + { //In Hub4 keyword blocking feature is not working with FORWARD chain rules as CPE (dnsmasq) acts as DNS Proxy. //Add rules in INPUT chain to resolve this issue. fprintf(fp, "-I INPUT -i %s -j lan2wan_pc_site \n", lan_ifname); - } + } #endif } } From f56857d00b72d0268b63818c29527aae9c26a9b8 Mon Sep 17 00:00:00 2001 From: nvenka781 Date: Wed, 29 Oct 2025 05:01:01 +0000 Subject: [PATCH 4/5] Corrected chainname initializer --- source/firewall/firewall.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 8bb56285..01d179ce 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -9329,9 +9329,9 @@ static int do_parcon_mgmt_site_keywd(FILE *fp, FILE *nat_fp, int iptype, FILE *c // Create rules for various ranges of payload to filter int from,to; - for ( from = 0, to = 64; from < range_max; from = to, to *= range_multiplier ) + for (from = 0, to = 64; from < range_max; from = to, to = (to * range_multiplier > range_max) ? range_max : to * range_multiplier) { - char chainName[30]; // linux chainname length is max 29 chars + char chainName[30] = {'\0'}; // linux chainname length is max 29 chars // Create new chain snprintf(chainName, sizeof(chainName), "LOG_SiteBlk_KW_%d_%d", from, to); From 1033dd0541953eb3dd671bb3a99d5d4430f7a0a7 Mon Sep 17 00:00:00 2001 From: nvenka781 Date: Wed, 29 Oct 2025 05:05:51 +0000 Subject: [PATCH 5/5] Fixed snprintf %d directive length issue --- source/firewall/firewall.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 01d179ce..4e8a2463 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -9331,9 +9331,10 @@ static int do_parcon_mgmt_site_keywd(FILE *fp, FILE *nat_fp, int iptype, FILE *c int from,to; for (from = 0, to = 64; from < range_max; from = to, to = (to * range_multiplier > range_max) ? range_max : to * range_multiplier) { - char chainName[30] = {'\0'}; // linux chainname length is max 29 chars + char chainName[64] = {'\0'}; // Create new chain + // linux iptables chainname length is max 29 chars snprintf(chainName, sizeof(chainName), "LOG_SiteBlk_KW_%d_%d", from, to); fprintf(fp, ":%s - [0:0]\n", chainName);