luci-0.8: merge r4768-r4769
This commit is contained in:
Jo-Philipp Wich
parent
d42861c922
commit
cf22d01f09
4 changed files with 145 additions and 1 deletions
46
contrib/package/freifunk-p2pblock/Makefile
Normal file
46
contrib/package/freifunk-p2pblock/Makefile
Normal file
|
|
@ -0,0 +1,46 @@
|
|||
#
|
||||
# Copyright (C) 2009 Andreas Seidler <tetzlav@subsignal.org>
|
||||
#
|
||||
# This is free software, licensed under the GNU General Public License v2.
|
||||
# See /LICENSE for more information.
|
||||
#
|
||||
|
||||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=freifunk-p2pblock
|
||||
PKG_RELEASE:=1
|
||||
|
||||
PKG_BUILD_DIR := $(BUILD_DIR)/$(PKG_NAME)
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
|
||||
define Package/freifunk-p2pblock
|
||||
SECTION:=net
|
||||
CATEGORY:=Network
|
||||
TITLE:=Freifunk p2pblock Addon
|
||||
DEPENDS:=+iptables-mod-filter +l7-protocols +iptables-mod-conntrack-extra
|
||||
endef
|
||||
|
||||
define Package/freifunk-p2pblock/description
|
||||
Simple Addon for Freifunk which use iptables layer7-, ipp2p- and recent-modules
|
||||
to block p2p/filesharing traffic
|
||||
endef
|
||||
|
||||
define Build/Prepare
|
||||
mkdir -p $(PKG_BUILD_DIR)
|
||||
endef
|
||||
|
||||
define Build/Configure
|
||||
endef
|
||||
|
||||
define Build/Compile
|
||||
endef
|
||||
|
||||
define Package/freifunk-p2pblock/install
|
||||
$(INSTALL_DIR) $(1)/etc/init.d
|
||||
$(INSTALL_BIN) ./files/freifunk-p2pblock.init $(1)/etc/init.d/freifunk-p2pblock
|
||||
$(INSTALL_DIR) $(1)/etc/config
|
||||
$(INSTALL_BIN) ./files/freifunk-p2pblock.config $(1)/etc/config/freifunk-p2pblock
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackage,freifunk-p2pblock))
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
config 'p2pblock'
|
||||
option 'portrange' '1024:65535'
|
||||
option 'layer7' 'edonkey bittorrent fasttrack'
|
||||
option 'ipp2p' 'edk dc kazaa gnu bit ares soul winmx apple'
|
||||
option 'blocktime' '60'
|
||||
option 'whitelist' ''
|
||||
|
|
@ -0,0 +1,89 @@
|
|||
#!/bin/sh /etc/rc.common
|
||||
|
||||
START=82
|
||||
ME="freifunk-p2pblock"
|
||||
LOCK='/var/run/p2pblock.lock'
|
||||
|
||||
# helper-scripts
|
||||
ipt_add() {
|
||||
logger -t "$ME" "set 'iptables -I $1'"
|
||||
iptables -I $1
|
||||
echo "iptables -D $1" >> $LOCK
|
||||
}
|
||||
|
||||
start() {
|
||||
if [ ! -s "$LOCK" ]; then
|
||||
logger -s -t "$ME" 'starting p2pblock...'
|
||||
|
||||
config_load network
|
||||
config_get wan wan ifname
|
||||
config_load freifunk-p2pblock
|
||||
config_get layer7 p2pblock layer7
|
||||
config_get ipp2p p2pblock ipp2p
|
||||
config_get portrange p2pblock portrange
|
||||
config_get blocktime p2pblock blocktime
|
||||
|
||||
# load modules
|
||||
insmod ipt_ipp2p 2>&-
|
||||
insmod ipt_layer7 2>&-
|
||||
insmod ipt_recent ip_list_tot=400 ip_pkt_list_tot=3 2>&-
|
||||
|
||||
# create new p2p-chain
|
||||
iptables -N p2pblock
|
||||
# pipe all incomming FORWARD with source-/destination-port 1024-65535 throu p2p-chain
|
||||
ipt_add "FORWARD -i $wan -p tcp --sport $portrange --dport $portrange -j p2pblock"
|
||||
ipt_add "FORWARD -i $wan -p udp --sport $portrange --dport $portrange -j p2pblock"
|
||||
|
||||
# if p2p-traffic blocked 3 packages to a destination ip then block all traffic within the next 180 sec (port 1024-65535)
|
||||
ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -j DROP"
|
||||
ipt_add "p2pblock -m recent --rdest --rcheck --name P2PBLOCK --seconds $blocktime --hitcount 3 -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-DROP:"
|
||||
|
||||
# create layer7-rules
|
||||
for proto in $layer7; do
|
||||
ipt_add "p2pblock -m layer7 --l7proto $proto -m recent --rdest --set --name P2PBLOCK"
|
||||
ipt_add "p2pblock -m layer7 --l7proto $proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
|
||||
done
|
||||
|
||||
# create ipp2p-rules
|
||||
for proto in $ipp2p; do
|
||||
ipt_add "p2pblock -m ipp2p --$proto -m recent --rdest --set --name P2PBLOCK"
|
||||
ipt_add "p2pblock -m ipp2p --$proto -m limit --limit 1/minute -j LOG --log-prefix P2PBLOCK-seen-$proto:"
|
||||
done
|
||||
|
||||
# insert whitelisted ips
|
||||
for ip in $WHITELIST; do
|
||||
ipt_add "p2pblock -d $ip -j RETURN"
|
||||
done
|
||||
|
||||
logger -s -t "$ME" 'Done.'; return 0
|
||||
|
||||
else
|
||||
logger -s -t "$ME" 'WARNING! already running - Aborting!'; return 2
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
stop() {
|
||||
if [ -s "$LOCK" ]; then
|
||||
logger -s -t "$ME" 'stopping p2pblock...'
|
||||
|
||||
# unset all rules in $LOCK-file
|
||||
cat $LOCK | sed -ne '1!G;h;$p' | while read line; do
|
||||
logger -t "$ME" "unset $line"
|
||||
while eval $line 2>&-; do :; done
|
||||
done; : > "$LOCK"
|
||||
|
||||
# flush and delete the p2p-chain
|
||||
iptables -F p2pblock
|
||||
iptables -X p2pblock
|
||||
logger -s -t "$ME" 'Done.'; return 0
|
||||
|
||||
else
|
||||
logger -s -t "$ME" 'WARNING! not running - Aborting!'; return 2
|
||||
|
||||
fi
|
||||
}
|
||||
|
||||
restart() {
|
||||
stop; sleep 1; start
|
||||
}
|
||||
|
|
@ -56,4 +56,7 @@ uci_set_state firewall core loaded 1
|
|||
config_foreach fw_addif interface
|
||||
config_foreach apply_nat_fix interface
|
||||
|
||||
[ -x /etc/init.d/luci_splash ] && /etc/init.d/luci_splash start
|
||||
[ -x /etc/init.d/luci_splash ] && ( sleep 3; /etc/init.d/luci_splash restart )&
|
||||
|
||||
[ -x /etc/init.d/freifunk-p2pblock ] && /etc/init.d/freifunk-p2pblock enabled && \
|
||||
( sleep 3; /etc/init./freifunk-p2pblock restart )&
|
||||
|
|
|
|||
Loading…
Reference in a new issue