Skip to content

TCXB8-3707: Parental Controls blocks false positives #107

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
snayak002c merged 6 commits into from
Nov 11, 2025
Merged

TCXB8-3707: Parental Controls blocks false positives #107

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8627882
Adding rule for handling https keyword filtering
nvenka781 Oct 22, 2025
77fe726
Corrected cherry-pick rebase
nvenka781 Oct 22, 2025
015405e
Change add new chain to iptables-save file format
nvenka781 Oct 29, 2025
f56857d
Corrected chainname initializer
nvenka781 Oct 29, 2025
1033dd0
Fixed snprintf %d directive length issue
nvenka781 Oct 29, 2025
3a2d147
Merge branch 'develop' into bug/TCXB8-3707_ranged
snayak002c Nov 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 48 additions & 19 deletions source/firewall/firewall.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* If not stated otherwise in this file or this component's Licenses.txt file the

Check failure on line 2 in source/firewall/firewall.c

View workflow job for this annotation

GitHub Actions / call-fossid-workflow / Fossid Annotate PR

FossID License Issue Detected 

Source code with 'Apache-2.0' license found in local file 'source/firewall/firewall.c' (Match: rdkb/components/opensource/ccsp/Utopia/rdkb/components/opensource/ccsp/Utopia/2.1-20160229, 13131 lines, url: https://code.rdkcentral.com/r/plugins/gitiles/rdkb/components/opensource/ccsp/Utopia/+archive/rdkb-2.1-20160229.tar.gz, file: source/firewall/firewall.c)

Check failure on line 2 in source/firewall/firewall.c

View workflow job for this annotation

GitHub Actions / call-fossid-workflow / Fossid Annotate PR

FossID License Issue Detected 

Source code with 'BSD-3-Clause' license found in local file 'source/firewall/firewall.c' (Match: rdkb/components/opensource/ccsp/Utopia/rdkb/components/opensource/ccsp/Utopia/1812, 13205 lines, url: https://code.rdkcentral.com/r/plugins/gitiles/rdkb/components/opensource/ccsp/Utopia/+archive/rdk-dev-1812.tar.gz, file: source/firewall/firewall.c)

Check failure on line 2 in source/firewall/firewall.c

View workflow job for this annotation

GitHub Actions / call-fossid-workflow / Fossid Annotate PR

FossID License Issue Detected 

Source code with 'BSD-3-Clause' license found in local file 'source/firewall/firewall.c' (Match: rdkb/components/opensource/ccsp/Utopia/rdkb/components/opensource/ccsp/Utopia/fc67ea3, 13264 lines, url: https://code.rdkcentral.com/r/plugins/gitiles/rdkb/components/opensource/ccsp/Utopia/+archive/fc67ea3f18571960905f44f7118bbc957f4094cc.tar.gz, file: source/firewall/firewall.c)

Check failure on line 2 in source/firewall/firewall.c

View workflow job for this annotation

GitHub Actions / call-fossid-workflow / Fossid Annotate PR

FossID License Issue Detected 

Source code with 'BSD-Intel' license found in local file 'source/firewall/firewall.c' (Match: rdkb/components/opensource/ccsp/Utopia/rdkb/components/opensource/ccsp/Utopia/1, 13264 lines, url: https://code.rdkcentral.com/r/plugins/gitiles/rdkb/components/opensource/ccsp/Utopia/+archive/RDKB-TEST-RELEASE-1.tar.gz, file: source/firewall/firewall.c)

Check failure on line 2 in source/firewall/firewall.c

View workflow job for this annotation

GitHub Actions / call-fossid-workflow / Fossid Annotate PR

FossID License Issue Detected 

Source code with 'BSD-Intel' license found in local file 'source/firewall/firewall.c' (Match: rdkb/components/opensource/ccsp/Utopia/rdkb/components/opensource/ccsp/Utopia/1, 13264 lines, url: https://code.rdkcentral.com/r/plugins/gitiles/rdkb/components/opensource/ccsp/Utopia/+archive/RDKB-RELEASE-TEST-DUNFELL-1.tar.gz, file: source/firewall/firewall.c)
* following copyright and licenses apply:
*
* Copyright 2015 RDK Management
Expand Down Expand Up @@ -9363,30 +9363,59 @@
}
else if (strncasecmp(method, "KEYWD", 5)==0)
{
// consider the case that user input whole url.
if(strstr(query, "://") != 0) {
fprintf(fp, "-A lan2wan_pc_site -m string --string \"%s\" --algo kmp --icase -j %s\n", strstr(query, "://") + 3, drop_log);
#if defined(_HUB4_PRODUCT_REQ_) || defined (_RDKB_GLOBAL_PRODUCT_REQ_)
#if defined (_RDKB_GLOBAL_PRODUCT_REQ_)
if( 0 == strncmp( devicePartnerId, "sky-", 4 ) )
#endif
{
//In Hub4 keyword blocking feature is not working with FORWARD chain rules as CPE (dnsmasq) acts as DNS Proxy.
//Add rules in INPUT chain to resolve this issue.
fprintf(fp, "-I INPUT -i %s -j lan2wan_pc_site \n", lan_ifname);
}
#endif
const char *keyword = NULL;
int range_max = 1024; //max payload bytes to filter
int range_multiplier = 2;

// Extract keyword if user input is a full URL
if (strstr(query, "://") != NULL) {
keyword = strstr(query, "://") + 3;
} else {
fprintf(fp, "-A lan2wan_pc_site -m string --string \"%s\" --algo kmp --icase -j %s\n", query, drop_log);
keyword = query;
}

if (keyword == NULL || strlen(keyword) == 0) {
fprintf(stderr, "Warning: Empty keyword, skipping rule generation.\n");
return(0);
}

// Create rules for various ranges of payload to filter
int from,to;
for (from = 0, to = 64; from < range_max; from = to, to = (to * range_multiplier > range_max) ? range_max : to * range_multiplier)
{
char chainName[64] = {'\0'};

// Create new chain
// linux iptables chainname length is max 29 chars
snprintf(chainName, sizeof(chainName), "LOG_SiteBlk_KW_%d_%d", from, to);
fprintf(fp, ":%s - [0:0]\n", chainName);

// Add rule to jump to private chain if "Host:" is found in this offset range
fprintf(fp, "-A lan2wan_pc_site -p tcp --dport 80 -m string --string \"Host:\" --algo kmp --from %d --to %d --icase -j %s\n",
from, to, chainName);

// Add rule to match keyword in private chain within same offset range
fprintf(fp, "-A %s -m string --string \"%s\" --algo kmp --from %d --to %d --icase -j %s\n",
chainName, keyword, from, to, drop_log);

// Default rule to return if not matched
fprintf(fp, "-A %s -j RETURN\n", chainName);
}

// Add rule for https filter
fprintf(fp, "-A lan2wan_pc_site -p tcp --dport 443 -m string --string \"%s\" --algo kmp --icase -j %s\n",
keyword, drop_log);

#if defined(_HUB4_PRODUCT_REQ_) || defined (_RDKB_GLOBAL_PRODUCT_REQ_)
#if defined (_RDKB_GLOBAL_PRODUCT_REQ_)
if( 0 == strncmp( devicePartnerId, "sky-", 4 ) )
#endif
{
fprintf(fp, "-I INPUT -i %s -j lan2wan_pc_site \n", lan_ifname);
}
if( 0 == strncmp( devicePartnerId, "sky-", 4 ) )
#endif
{
//In Hub4 keyword blocking feature is not working with FORWARD chain rules as CPE (dnsmasq) acts as DNS Proxy.
//Add rules in INPUT chain to resolve this issue.
fprintf(fp, "-I INPUT -i %s -j lan2wan_pc_site \n", lan_ifname);
}
#endif
}
}
}
Expand Down
Loading