From 9f5f194a378a633505ba6d7a91c552405154d24b Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Fri, 13 Sep 2024 21:14:01 +0300 Subject: [PATCH 1/5] Support for luci in actions --- .github/workflows/build-ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-ci.yml b/.github/workflows/build-ci.yml index fc118aa..54d708e 100644 --- a/.github/workflows/build-ci.yml +++ b/.github/workflows/build-ci.yml @@ -21,7 +21,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - ref: 'openwrt' + ref: 'openwrt_luci' - name: GH id: gh @@ -197,7 +197,7 @@ jobs: - name: Checkout uses: actions/checkout@v4 with: - ref: 'openwrt' + ref: 'openwrt_luci' - name: Prepare build env: From 2ff83c603006578ca8034f7776d81334689048b6 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sat, 14 Sep 2024 11:08:38 +0300 Subject: [PATCH 2/5] Update firewall rules --- README.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 5d74ad4..ed19005 100644 --- a/README.md +++ b/README.md @@ -89,15 +89,19 @@ Copy `youtubeUnblock.service` to `/usr/lib/systemd/system` (you should change th On nftables you should put next nftables rules: ```sh -nft add rule inet fw4 mangle_forward tcp dport 443 ct original "packets < 20" counter queue num 537 bypass -nft insert rule inet fw4 output mark and 0x8000 == 0x8000 counter accept +nft add chain inet fw4 youtubeUnblock '{ type filter hook postrouting priority mangle - 1; policy accept; }' +nft add rule inet fw4 youtubeUnblock 'meta l4proto { tcp, udp } th dport 443 ct original packets < 20 counter queue num 537 bypass' +nft insert rule inet fw4 output 'mark and 0x8000 == 0x8000 counter accept' ``` #### Iptables rules On iptables you should put next iptables rules: ```sh -iptables -t mangle -A FORWARD -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass +iptables -t mangle -N YOUTUBEUNBLOCK +iptables -t mangle -A YOUTUBEUNBLOCK -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass +iptables -t mangle -A YOUTUBEUNBLOCK -p udp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass +iptables -t mangle -A POSTROUTING -j YOUTUBEUNBLOCK iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT ``` @@ -105,12 +109,13 @@ iptables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT For IPv6 on iptables you need to duplicate rules above for ip6tables: ```sh -ip6tables -t mangle -A FORWARD -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass +ip6tables -t mangle -N YOUTUBEUNBLOCK +ip6tables -t mangle -A YOUTUBEUNBLOCK -p tcp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass +ip6tables -t mangle -A YOUTUBEUNBLOCK -p udp --dport 443 -m connbytes --connbytes-dir original --connbytes-mode packets --connbytes 0:19 -j NFQUEUE --queue-num 537 --queue-bypass +ip6tables -t mangle -A POSTROUTING -j YOUTUBEUNBLOCK ip6tables -I OUTPUT -m mark --mark 32768/32768 -j ACCEPT ``` - - Note that above rules use *conntrack* to route only first 20 packets from the connection to **youtubeUnblock**. If you got some troubles with it, for example **youtubeUnblock** doesn't detect YouTube, try to delete *connbytes* from the rules. But it is an unlikely behavior and you should probably check your ruleset. From 8c405b81dfd2a07c2843f036138f8a4b53a147ea Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sat, 14 Sep 2024 11:18:45 +0300 Subject: [PATCH 3/5] Log ip version for udp --- mangle.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/mangle.c b/mangle.c index df0ee5a..367178a 100644 --- a/mangle.c +++ b/mangle.c @@ -273,14 +273,16 @@ int process_udp4_packet(const uint8_t *pkt, uint32_t pktlen) { const struct udphdr *udph; const uint8_t *data; uint32_t dlen; + int ipver = netproto_version(pkt, pktlen); + lgtrace_start("Got udp packet"); + lgtrace_addp("IPv%d", ipver); int ret = udp4_payload_split((uint8_t *)pkt, pktlen, (struct iphdr **)&iph, &iph_len, (struct udphdr **)&udph, (uint8_t **)&data, &dlen); - lgtrace_start("Got udp packet"); - + if (ret < 0) { lgtrace_addp("undefined"); goto accept; From 7e73fa26135346ab4fc1564ca3758b5d0af93f3f Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sat, 14 Sep 2024 11:39:10 +0300 Subject: [PATCH 4/5] Add documentation for LuCI and UCI --- README.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index ed19005..2db1b52 100644 --- a/README.md +++ b/README.md @@ -65,12 +65,18 @@ Next step is to add required firewall rules. For nftables on OpenWRT rules comes out-of-the-box and stored under `/usr/share/nftables.d/ruleset-post/537-youtubeUnblock.nft`. All you need is install requirements and do `/etc/init.d/firewall reload`. If no, go to [Firewall configuration](#firewall-configuration). -Now we are ready to demonize the application. +Now we go to the configuration. For OpenWRT here is configuration via UCI and LuCI available (CLI and GUI respectively). +LuCI configuration lives in **Services->youtubeUnblock** section. It is self descriptive, with description for each flag. -If you installed package from Github Actions or built it yourself with OpenWRT SDK, rc scripts are preinstalled. All you need is to do `/etc/init.d/youtubeUnblock start`. -Elsewhere copy `owrt/youtubeUnblock.owrt` to `/etc/init.d/youtubeUnblock` and put the program's binary into /usr/bin/. (Don't forget to `chmod +x` both). Now run `/etc/init.d/youtubeUnblock start`. +UCI configuration is available in /etc/config/youtubeUnblock file, in section `youtubeUnblock.youtubeUnblock`. The configuration is done with [flags](#flags). Note, that names of flags are not the same: you should replace `-` with `_`, you shouldn't use leading `--` for flag. Also you will enable toggle flags (without parameters) with `1`. -You can also run `/etc/init.d/youtubeUnblock enable` to force OpenWRT autostart on boot, but I don't recommend this since if the package has bugs you may lose access to the router (I think you will be able to reset it with reset settings tricks documented for your router). +For example, to enable trace logs you should do +```sh +uci set youtubeUnblock.youtubeUnblock.trace=1 +``` + +In CLI mode you will use youtubeUnblock as a normal init.d service: +for example, you can enable it with `/etc/init.d/youtubeUnblock enable`. ### Entware From 740df8979f2b4cfda906353afd7ec57067c4f7c8 Mon Sep 17 00:00:00 2001 From: Vadim Vetrov Date: Sat, 14 Sep 2024 12:24:20 +0300 Subject: [PATCH 5/5] Add sections about restart after settings apply --- README.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2db1b52..924165c 100644 --- a/README.md +++ b/README.md @@ -65,8 +65,9 @@ Next step is to add required firewall rules. For nftables on OpenWRT rules comes out-of-the-box and stored under `/usr/share/nftables.d/ruleset-post/537-youtubeUnblock.nft`. All you need is install requirements and do `/etc/init.d/firewall reload`. If no, go to [Firewall configuration](#firewall-configuration). -Now we go to the configuration. For OpenWRT here is configuration via UCI and LuCI available (CLI and GUI respectively). -LuCI configuration lives in **Services->youtubeUnblock** section. It is self descriptive, with description for each flag. +Now we go to the configuration. For OpenWRT here is configuration via [UCI](https://openwrt.org/docs/guide-user/base-system/uci) and [LuCI](https://openwrt.org/docs/guide-user/luci/start) available (CLI and GUI respectively). + +LuCI configuration lives in **Services->youtubeUnblock** section. It is self descriptive, with description for each flag. Note, that after you push `Save & Apply` button, the configuration is applied automatically and the service is restarted. UCI configuration is available in /etc/config/youtubeUnblock file, in section `youtubeUnblock.youtubeUnblock`. The configuration is done with [flags](#flags). Note, that names of flags are not the same: you should replace `-` with `_`, you shouldn't use leading `--` for flag. Also you will enable toggle flags (without parameters) with `1`. @@ -75,6 +76,8 @@ For example, to enable trace logs you should do uci set youtubeUnblock.youtubeUnblock.trace=1 ``` +For uci, to save the configs you should do `uci commit` and then `reload_config` to restart the youtubeUnblock + In CLI mode you will use youtubeUnblock as a normal init.d service: for example, you can enable it with `/etc/init.d/youtubeUnblock enable`.