From a0277aa4f9d68bb58fbd4cc8c962092440b2b845 Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Fri, 31 Jan 2020 17:56:26 -0500 Subject: [PATCH 1/2] rc: made dnsfilter server list a global; defined enums for list entries, and used these defines instead of hardcoded values --- release/src/router/rc/dnsfilter.c | 131 +++++++++++++++--------------- release/src/router/rc/dnsfilter.h | 45 ++++++++++ release/src/router/rc/format.c | 15 ++-- 3 files changed, 121 insertions(+), 70 deletions(-) create mode 100644 release/src/router/rc/dnsfilter.h diff --git a/release/src/router/rc/dnsfilter.c b/release/src/router/rc/dnsfilter.c index 2ac7e6f4c3b..a3f41b48971 100644 --- a/release/src/router/rc/dnsfilter.c +++ b/release/src/router/rc/dnsfilter.c @@ -15,31 +15,70 @@ * MA 02111-1307 USA * * - * Copyright 2014-2019 Eric Sauvageau. + * Copyright 2014-2020 Eric Sauvageau. * */ #include #include - - #ifdef RTCONFIG_DNSFILTER +#include "dnsfilter.h" + +char *server_table[][2] = { + { "", "" }, /* 0: Unfiltered */ + { "208.67.222.222", "" }, /* 1: OpenDNS */ + { "", "" }, /* 2: Discontinued Norton Connect Safe */ + { "", "" }, /* 3: Discontinued Norton Connect Safe */ + { "", "" }, /* 4: Discontinued Norton Connect Safe */ + { "77.88.8.88", "" }, /* 5: Secure Mode safe.dns.yandex.ru */ + { "77.88.8.7", "" }, /* 6: Family Mode family.dns.yandex.ru */ + { "208.67.222.123", "" }, /* 7: OpenDNS Family Shield */ + { "", "" }, /* 8: Custom1 */ + { "", "" }, /* 9: Custom2 */ + { "", "" }, /* 10: Custom3 */ + { "", "" }, /* 11: Router */ + { "8.26.56.26", "" }, /* 12: Comodo Secure DNS */ + { "9.9.9.9", "" }, /* 13: Quad9 */ + { "185.228.168.9", "" }, /* 14: CleanBrowsing Security */ + { "185.228.168.10", "" }, /* 15: CleanBrowsing Adult */ + { "185.228.168.168", "" } /* 16: CleanBrowsing Family */ +}; + +#ifdef RTCONFIG_IPV6 +char *server6_table[][2] = { + {"", ""}, /* 0: Unfiltered */ + {"", ""}, /* 1: OpenDNS */ + {"", ""}, /* 2: Discontinued Norton Connect Safe */ + {"", ""}, /* 3: Discontinued Norton Connect Safe */ + {"", ""}, /* 4: Discontinued Norton Connect Safe */ + {"2a02:6b8::feed:bad","2a02:6b8:0:1::feed:bad"}, /* 5: Secure Mode safe.dns.yandex.ru */ + {"2a02:6b8::feed:a11","2a02:6b8:0:1::feed:a11"}, /* 6: Family Mode family.dns.yandex.ru */ + {"", ""}, /* 7: OpenDNS Family Shield */ + {"", ""}, /* 8: Custom1 - not supported yet */ + {"", ""}, /* 9: Custom2 - not supported yet */ + {"", ""}, /* 10: Custom3 - not supported yet */ + {"", ""}, /* 11: Router - semi-supported, refer dnsfilter_setup_dnsmasq() */ + {"", ""}, /* 12: Comodo Secure DNS */ + {"2620:fe::fe", "2620:fe::9"}, /* 13: Quad9 */ + {"2a0d:2a00:1::2", "2a0d:2a00:2::2"}, /* 14: CleanBrowsing Security */ + {"2a0d:2a00:1::1", "2a0d:2a00:2::1"}, /* 15: CleanBrowsing Adult */ + {"2a0d:2a00:1::", "2a0d:2a00:2::"} /* 16: CleanBrowsing Family */ +}; +#endif -int get_dns_filter(int proto, int mode, char **server); -int dnsfilter_support_dot(int mode); // Return 1 if selected mode supports DNS over TLS int dnsfilter_support_dot(int mode) { switch (mode){ - case 8: - case 9: - case 10: // Custom 1, 2 and 3 - assume they might support it - case 13: // Quad9 - case 11: // Router (in case end-user implements it locally) - case 14: - case 15: - case 16: // CleanBrowsing 1-3 + case DNSF_SRV_CUSTOM1: + case DNSF_SRV_CUSTOM2: + case DNSF_SRV_CUSTOM3: // Custom 1, 2 and 3 - assume they might support it + case DNSF_SRV_QUAD9: + case DNSF_SRV_ROUTER: // Router (in case end-user implements it locally) + case DNSF_SRV_CLEANBROWSING_SECURITY: + case DNSF_SRV_CLEANBROWSING_ADULT: + case DNSF_SRV_CLEANBROWSING_FAMILY: return 1; default: return 0; @@ -49,52 +88,14 @@ int dnsfilter_support_dot(int mode) // ARG: server must be an array of two pointers, each pointing to an array of chars int get_dns_filter(int proto, int mode, char **server) { + server_table[DNSF_SRV_CUSTOM1][0] = nvram_safe_get("dnsfilter_custom1"); + server_table[DNSF_SRV_CUSTOM2][0] = nvram_safe_get("dnsfilter_custom2"); + server_table[DNSF_SRV_CUSTOM3][0] = nvram_safe_get("dnsfilter_custom3"); + server_table[DNSF_SRV_ROUTER][0] = nvram_safe_get("dhcp_dns1_x"); + int count = 0; - char *server_table[][2] = { - { "", "" }, /* 0: Unfiltered */ - { "208.67.222.222", "" }, /* 1: OpenDNS */ - { "", "" }, /* 2: Discontinued Norton Connect Safe */ - { "", "" }, /* 3: Discontinued Norton Connect Safe */ - { "", "" }, /* 4: Discontinued Norton Connect Safe */ - { "77.88.8.88", "" }, /* 5: Secure Mode safe.dns.yandex.ru */ - { "77.88.8.7", "" }, /* 6: Family Mode family.dns.yandex.ru */ - { "208.67.222.123", "" }, /* 7: OpenDNS Family Shield */ - { nvram_safe_get("dnsfilter_custom1"), "" }, /* 8: Custom1 */ - { nvram_safe_get("dnsfilter_custom2"), "" }, /* 9: Custom2 */ - { nvram_safe_get("dnsfilter_custom3"), "" }, /* 10: Custom3 */ - { nvram_safe_get("dhcp_dns1_x"), "" }, /* 11: Router */ - { "8.26.56.26", "" }, /* 12: Comodo Secure DNS */ - { "9.9.9.9", "" }, /* 13: Quad9 */ - { "185.228.168.9", "" }, /* 14: CleanBrowsing Security */ - { "185.228.168.10", "" }, /* 15: CleanBrowsing Adult */ - { "185.228.168.168", "" } /* 16: CleanBrowsing Family */ - }; -#ifdef RTCONFIG_IPV6 - char *server6_table[][2] = { - {"", ""}, /* 0: Unfiltered */ - {"", ""}, /* 1: OpenDNS */ - {"", ""}, /* 2: Discontinued Norton Connect Safe */ - {"", ""}, /* 3: Discontinued Norton Connect Safe */ - {"", ""}, /* 4: Discontinued Norton Connect Safe */ - {"2a02:6b8::feed:bad","2a02:6b8:0:1::feed:bad"}, /* 5: Secure Mode safe.dns.yandex.ru */ - {"2a02:6b8::feed:a11","2a02:6b8:0:1::feed:a11"}, /* 6: Family Mode family.dns.yandex.ru */ - {"", ""}, /* 7: OpenDNS Family Shield */ - {"", ""}, /* 8: Custom1 - not supported yet */ - {"", ""}, /* 9: Custom2 - not supported yet */ - {"", ""}, /* 10: Custom3 - not supported yet */ - {"", ""}, /* 11: Router - semi-supported, refer dnsfilter_setup_dnsmasq() */ - {"", ""}, /* 12: Comodo Secure DNS */ - {"2620:fe::fe", "2620:fe::9"}, /* 13: Quad9 */ - {"2a0d:2a00:1::2", "2a0d:2a00:2::2"}, /* 14: CleanBrowsing Security */ - {"2a0d:2a00:1::1", "2a0d:2a00:2::1"}, /* 15: CleanBrowsing Adult */ - {"2a0d:2a00:1::", "2a0d:2a00:2::"} /* 16: CleanBrowsing Family */ - }; -#endif // Initialize - server[0] = server_table[0][0]; - server[1] = server_table[0][1]; - if (mode >= (sizeof(server_table)/sizeof(server_table[0]))) mode = 0; #ifdef RTCONFIG_IPV6 @@ -109,7 +110,7 @@ int get_dns_filter(int proto, int mode, char **server) } // Ensure that custom and DHCP-provided DNS do contain something - if (((mode == 8) || (mode == 9) || (mode == 10) || (mode == 11)) && (!strlen(server[0])) && (proto == AF_INET)) { + if (((mode == DNSF_SRV_CUSTOM1) || (mode == DNSF_SRV_CUSTOM2) || (mode == DNSF_SRV_CUSTOM3) || (mode == DNSF_SRV_ROUTER)) && (!strlen(server[0])) && (proto == AF_INET)) { server[0] = nvram_safe_get("lan_ipaddr"); } @@ -148,7 +149,7 @@ void dnsfilter_settings(FILE *fp, char *lan_ip) { if (!*mac || !*mode || !ether_atoe(mac, ea)) continue; dnsmode = atoi(mode); - if (dnsmode == 0) { + if (dnsmode == DNSF_SRV_UNFILTERED) { fprintf(fp, "-A DNSFILTER -m mac --mac-source %s -j RETURN\n", mac); @@ -162,7 +163,7 @@ void dnsfilter_settings(FILE *fp, char *lan_ip) { /* Send other queries to the default server */ dnsmode = nvram_get_int("dnsfilter_mode"); - if ((dnsmode) && get_dns_filter(AF_INET, dnsmode, server)) { + if ((dnsmode != DNSF_SRV_UNFILTERED) && get_dns_filter(AF_INET, dnsmode, server)) { fprintf(fp, "-A DNSFILTER -j DNAT --to-destination %s\n", server[0]); } } @@ -195,7 +196,7 @@ void dnsfilter6_settings(FILE *fp, char *lan_if, char *lan_ip) { dnsmode = atoi(mode); if (!*mac || !ether_atoe(mac, ea)) continue; - if (dnsmode == 0) { // Unfiltered + if (dnsmode == DNSF_SRV_UNFILTERED) { fprintf(fp, "-A DNSFILTERI -m mac --mac-source %s -j ACCEPT\n" "-A DNSFILTERF -m mac --mac-source %s -j ACCEPT\n" "-A DNSFILTER_DOT -m mac --mac-source %s -j ACCEPT\n", @@ -222,7 +223,7 @@ void dnsfilter6_settings(FILE *fp, char *lan_if, char *lan_ip) { free(nv); dnsmode = nvram_get_int("dnsfilter_mode"); - if (dnsmode) { + if (dnsmode != DNSF_SRV_UNFILTERED) { /* Allow other queries to the default server, and drop the rest */ count = get_dns_filter(AF_INET6, dnsmode, server); if (count) { @@ -260,7 +261,7 @@ void dnsfilter_setup_dnsmasq(FILE *fp) { if (dnsmode == defmode) continue; count = get_dns_filter(AF_INET6, dnsmode, server); - if (count == 0 && dnsmode == 11) { + if (count == 0 && dnsmode == DNSF_SRV_ROUTER) { /* Workaround dynamic router address */ server[0] = "::"; count = 1; @@ -284,7 +285,7 @@ void dnsfilter_setup_dnsmasq(FILE *fp) { continue; dnsmode = atoi(mode); /* Skip unfiltered, default, or non-IPv6 capable levels */ - if ((dnsmode == 0) || (dnsmode == defmode) || (get_dns_filter(AF_INET6, dnsmode, server) == 0)) + if ((dnsmode == DNSF_SRV_UNFILTERED) || (dnsmode == defmode) || (get_dns_filter(AF_INET6, dnsmode, server) == 0)) continue; fprintf(fp, "dhcp-host=%s,set:dnsf%u\n", mac, dnsmode); } @@ -317,7 +318,7 @@ void dnsfilter_dot_rules(FILE *fp, char *lan_if) if (!*mac || !*mode || !ether_atoe(mac, ea)) continue; dnsmode = atoi(mode); - if (dnsmode == 0) // Unfiltered + if (dnsmode == DNSF_SRV_UNFILTERED) fprintf(fp, "-A DNSFILTER_DOT -m mac --mac-source %s -j RETURN\n", mac); else if (dnsfilter_support_dot(dnsmode) && get_dns_filter(AF_INET, dnsmode, server) > 0 ) // Filter supports DOT fprintf(fp, "-A DNSFILTER_DOT -m mac --mac-source %s ! -d %s -j REJECT\n", mac, server[0]); @@ -328,7 +329,7 @@ void dnsfilter_dot_rules(FILE *fp, char *lan_if) /* Global filtering */ dnsmode = nvram_get_int("dnsfilter_mode"); - if (dnsmode) { + if (dnsmode != DNSF_SRV_UNFILTERED) { if (dnsfilter_support_dot(dnsmode) && get_dns_filter(AF_INET, dnsmode, server) > 0 ) fprintf(fp, "-A DNSFILTER_DOT ! -d %s -j REJECT\n", server[0]); else diff --git a/release/src/router/rc/dnsfilter.h b/release/src/router/rc/dnsfilter.h new file mode 100644 index 00000000000..b1535532232 --- /dev/null +++ b/release/src/router/rc/dnsfilter.h @@ -0,0 +1,45 @@ +/* + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; either version 2 of + * the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, + * MA 02111-1307 USA + * + * + * Copyright 2014-2020 Eric Sauvageau. + * + */ + +extern int get_dns_filter(int proto, int mode, char **server); +extern int dnsfilter_support_dot(int mode); + +/* DNSFilter Services */ +enum { + DNSF_SRV_UNFILTERED = 0, + DNSF_SRV_OPENDNS, + DNSF_SRV_NORTON1, + DNSF_SRV_NORTON2, + DNSF_SRV_NORTON3, + DNSF_SRV_YANDEX_SECURE, + DNSF_SRV_YANDEX_FAMILY, + DNSF_SRV_OPENDNS_FAMILY, + DNSF_SRV_CUSTOM1, + DNSF_SRV_CUSTOM2, + DNSF_SRV_CUSTOM3, + DNSF_SRV_ROUTER, + DNSF_SRV_COMODO, + DNSF_SRV_QUAD9, + DNSF_SRV_CLEANBROWSING_SECURITY, + DNSF_SRV_CLEANBROWSING_ADULT, + DNSF_SRV_CLEANBROWSING_FAMILY, + DNSF_SRV_LAST +}; diff --git a/release/src/router/rc/format.c b/release/src/router/rc/format.c index 89a96e1c72a..428ee1ba37c 100644 --- a/release/src/router/rc/format.c +++ b/release/src/router/rc/format.c @@ -17,6 +17,10 @@ extern int vpnc_load_profile(VPNC_PROFILE *list, const int list_size, const int #include #include +#ifdef RTCONFIG_DNSFILTER +#include "dnsfilter.h" +#endif + void adjust_merlin_config(void) { #ifdef RTCONFIG_OPENVPN @@ -151,8 +155,8 @@ void adjust_merlin_config(void) /* Remove discontinued DNSFilter services */ #ifdef RTCONFIG_DNSFILTER globalmode = nvram_get_int("dnsfilter_mode"); - if (globalmode == 2 || globalmode == 3 || globalmode == 4) - nvram_set("dnsfilter_mode", "7"); + if (globalmode == DNSF_SRV_NORTON1 || globalmode == DNSF_SRV_NORTON2 || globalmode == DNSF_SRV_NORTON3) + nvram_set_int("dnsfilter_mode", DNSF_SRV_OPENDNS_FAMILY); #ifdef HND_ROUTER nv = nvp = malloc(255 * 6 + 1); @@ -171,9 +175,10 @@ void adjust_merlin_config(void) if (!*mac || !*mode ) continue; - if (mode[0] == '2' || mode[0] == '3' || mode[0] == '4') mode[0] = '7'; - - snprintf(tmp, sizeof(tmp), "<%s>%s>%s", name, mac, mode); + if (atoi(mode) == DNSF_SRV_NORTON1 || atoi(mode) == DNSF_SRV_NORTON2 || atoi(mode) == DNSF_SRV_NORTON3) + snprintf(tmp, sizeof(tmp), "<%s>%s>%d", name, mac, DNSF_SRV_OPENDNS_FAMILY); + else + snprintf(tmp, sizeof(tmp), "<%s>%s>%s", name, mac, mode); strcat(newstr, tmp); } From c8e2b14fb2cc682aac0e22ae964dee28eda004f8 Mon Sep 17 00:00:00 2001 From: Eric Sauvageau Date: Fri, 31 Jan 2020 17:56:46 -0500 Subject: [PATCH 2/2] Updated documentation --- Changelog-NG.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog-NG.txt b/Changelog-NG.txt index 6778de4d37f..60261272868 100644 --- a/Changelog-NG.txt +++ b/Changelog-NG.txt @@ -31,7 +31,7 @@ Asuswrt-Merlin 384/NG Changelog - UPDATED: Backported some fixes from 384_81981, mostly related to WAN, port bonding and mdns. - - UPDATED: Merged GPK 384_7756 for RT-AX88U, which adds OFDMA and + - UPDATED: Merged GPL 384_7756 for RT-AX88U, which adds OFDMA and WPA3 support to that model. - UPDATED: Merged with GPL 385_10002 for other models (from RT-AC68U) - UPDATED: odhcp6c to 1.1-97-ge199804 (themiron)