1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Toastman] Access Restrictions using RegEx do not work since β7503/0503

Discussion in 'Tomato Firmware' started by Quad5Ny, Apr 30, 2014.

  1. Quad5Ny

    Quad5Ny Connected Client Member

    Ok, so on Toastman's 1.28.0505 since Toastman's 0503 build's domains blocked in the "Http Request" box do not work if you use any RegEx in domain names.

    Is this a bug or has the syntax changed? (I don't have the default rule to check)


    Running tomato-K26USB-NVRAM64K-1.28.0505MIPSR2Toastman-RT-N-Ext on a RT-N66U
     
    Last edited: May 5, 2014
  2. Mihai Olimpiu-Cristian

    Mihai Olimpiu-Cristian Serious Server Member

    It now uses a new module, it only checks for a string. You only have to type facebook and it blocks every domain that contains the string facebook. It also works on https connections now.
     
  3. koitsu

    koitsu Network Guru Member

    Mihai, I'm not sure that's true. I thought Toastman was one of the firmwares which did not replace the HTTP analysis netfilter/iptables module (called web) with xt_string, i.e. it still uses the old web module which supports a limited form of regex when matching against the request itself, the Host: header, or the domain.

    Other firmwares did adapt xt_string -- and I tried to warn them all of the problems with doing that, losing basic regex support was one of them -- but as I said I don't think Toastman is one of them. I could be wrong however and would need to go look at the code (I'm one of the few who had to do so in the first place), but I don't have time for that right now, so if someone else could put in that effort I'd appreciate it.

    Otherwise read the Toastman changelogs. He's very good about documenting changes of this nature. Edit: I just went through the ChangeLog and all I see is that building the xt_string module (it's statically included, not dynamic, so you won't find xt_string.ko anywhere on the filesystem) was added back in March 2013, but the Access Restrictions code should still be using the old web.ko module (which supports regex).

    P.S. -- I wish the OP would have disclosed what firmware he was using before the upgrade. I do not want the "version", I want the FILENAME. The version is not precise enough. Knowing both filenames (old vs. new) would allow Toastman or myself or anyone else to go through the diff/changes in the code to see what all happened. Without knowing the old vs. new, this cannot be done as easily.
     
  4. jerrm

    jerrm Network Guru Member

    Also, the output of "iptables -vnL" would answer a lot of potential questions.

    If you're a gui only user go to Tools->System Commands, enter "iptables -vnL" in the Command text box, click execute, post results.
     
    Quad5Ny likes this.
  5. Mihai Olimpiu-Cristian

    Mihai Olimpiu-Cristian Serious Server Member

    I'm sorry, I thought he changed it also...
     
    Last edited: May 1, 2014
  6. Quad5Ny

    Quad5Ny Connected Client Member

    The last paragraph on the first post has the file name, it is not a signature. - "Running tomato-K26USB-NVRAM64K-1.28.0505MIPSR2Toastman-RT-N-Ext on a RT-N66U"

    That is slightly unfortunate seeing as strings and domains worked on older builds. Also strings sometimes block something that maybe should not have been blocked. For example I had to remove TestDomain.com$, TestDomainNoDollarSymbol.com and TestString from the rule before I was able to post this reply as the connection was being rejected!

    ---

    • Previous Build - tomato-K26USB-NVRAM64K-1.28.0500-MIPSR2Toastman-RT-N-Mini.trx (I'm guessing the file name here because I only have the os_version string from a nvram dump -- os_version=1.28.0500 MIPSR2Toastman-RT-N K26 Mini)
    • Current Build - tomato-K26USB-NVRAM64K-1.28.0505-MIPSR2Toastman-RT-N-Ext.trx

    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
      156 17813 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
       10   665 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33534 limit: avg 5/sec burst 5
        5  1811 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
        0     0 restrict   all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
        0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0          
        0     0 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
        0     0 upnp       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  *      br0     0.0.0.0/0            192.168.1.202      
    
    Chain OUTPUT (policy ACCEPT 136 packets, 103K bytes)
    pkts bytes target     prot opt in     out     source               destination        
    
    Chain rdev01 (1 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 rres01     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] MAC E0:B9:BA:00:00:00 
        0     0 rres01     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] MAC F4:F9:51:00:00:00 
        0     0 rres01     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] MAC F4:37:B7:00:00:00 
        0     0 rres01     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] MAC E4:98:D6:00:00:00 
    
    Chain restrict (1 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 rres00     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
        0     0 rdev01     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    
    Chain rres00 (1 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 rstr00     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 53,80,443
        0     0 rstr00     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    
    Chain rres01 (4 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 rstr01     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 53,80,443
        0     0 rstr01     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    
    Chain rstr00 (2 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "TestString" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "TestString" ALGO name bm FROM 1 TO 600 reject-with tcp-reset
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "TestDomainNoDollarSymbol.com" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "TestDomainNoDollarSymbol.com" ALGO name bm FROM 1 TO 600 reject-with tcp-reset
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "TestDomain.com$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "TestDomain.com$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset
    
    Chain rstr01 (2 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "com_apple_MobileAsset_SoftwareUpdate" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "com_apple_MobileAsset_SoftwareUpdate" ALGO name bm FROM 1 TO 600 reject-with tcp-reset
    
    Chain upnp (1 references)
    pkts bytes target     prot opt in     out     source               destination        
    
    Chain wanin (1 references)
    pkts bytes target     prot opt in     out     source               destination        
    
    Chain wanout (1 references)
    pkts bytes target     prot opt in     out     source               destination        
     
    Last edited: May 2, 2014
  7. kthaddock

    kthaddock Network Guru Member

    I think you have missed some signs when you use access restriction,
    here is valid one's:

    ^begins-with.domain.
    .
    ends-with.net$
    ^
    www.exact-domain.net$

    all starts with character at start and ends of blocked strings.
     
  8. Quad5Ny

    Quad5Ny Connected Client Member

    I tried your suggestion to block wimp.com but the Access Restriction rule still does not work with ^ or $.

    Code:
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
      169 18890 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0          
       13   846 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 1/sec burst 5 
        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:33434:33534 limit: avg 5/sec burst 5 
        9  3408 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0          
        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
       31  1916 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
       96 17006 restrict   all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0          
      128 33265 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
        0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0          
       14   896 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0          
       14   896 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0          
        0     0 upnp       all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0          
        0     0 ACCEPT     all  --  *      br0     0.0.0.0/0            192.168.1.202      
    Chain OUTPUT (policy ACCEPT 169 packets, 106K bytes)
    pkts bytes target     prot opt in     out     source               destination        
    Chain rdev01 (1 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 rres01     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] MAC E0:B9:BA:00:00:00  
        0     0 rres01     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] MAC F4:F9:51:00:00:00  
        0     0 rres01     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] MAC F4:37:B7:00:00:00  
        0     0 rres01     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] MAC E4:98:D6:00:00:00  
    Chain restrict (1 references)
    pkts bytes target     prot opt in     out     source               destination        
       96 17006 rres00     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
       87 11279 rdev01     all  --  *      *       0.0.0.0/0            0.0.0.0/0          
    Chain rres00 (1 references)
    pkts bytes target     prot opt in     out     source               destination        
       96 17006 rstr00     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 53,80,443 
        0     0 rstr00     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    Chain rres01 (4 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 rstr01     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 53,80,443 
        0     0 rstr01     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:53 
    Chain rstr00 (2 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp.com$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp.com$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp.$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp.$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^wimp.$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^wimp.$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp.$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp.$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match ".wimp.com$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match ".wimp.com$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "www.wimp.$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "www.wimp.$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "wimp.$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "wimp.$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match ".wimp$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match ".wimp$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match ".wimp.$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match ".wimp.$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp.com" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp.com" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp." ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp." ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^wimp." ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^wimp." ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp." ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^.wimp." ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp.com$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp.com$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^wimp$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^wimp$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "www.wimp.com$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "www.wimp.com$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "www.wimp$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "www.wimp$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "wimp$" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "wimp$" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp.com" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp.com" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^www.wimp" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^wimp" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable 
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "^wimp" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
    Chain rstr01 (2 references)
    pkts bytes target     prot opt in     out     source               destination        
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "com_apple_MobileAsset_SoftwareUpdate" ALGO name bm FROM 1 TO 600 reject-with icmp-port-unreachable  
        0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           STRING match "com_apple_MobileAsset_SoftwareUpdate" ALGO name bm FROM 1 TO 600 reject-with tcp-reset 
    Chain upnp (1 references)
    pkts bytes target     prot opt in     out     source               destination        
    Chain wanin (1 references)
    pkts bytes target     prot opt in     out     source               destination        
    Chain wanout (1 references)
    pkts bytes target     prot opt in     out     source               destination  
     
  9. kthaddock

    kthaddock Network Guru Member

    Okey, that FW version doesn't support that, it's changed to use "STRING" module. that have som disadvantages.
    What I can see in your "Chain rstr00" you use ^ $ . try to remove them.
    Using STRING module have some/big disadvantages that has been debated here before.

    I have asked Shibby to revert that function and poeple who want use STRING modul can do that with script instead.
     
    Last edited: May 2, 2014
    Quad5Ny likes this.
  10. Mihai Olimpiu-Cristian

    Mihai Olimpiu-Cristian Serious Server Member

    Just use only: wimp.com as I initially suggested then...
     
    Quad5Ny likes this.
  11. koitsu

    koitsu Network Guru Member

    It looks like the Access Restrictions module being used now isn't web.ko but xt_string.ko. I can tell from the syntax of the iptables rules shown under chains rstr00 and rstr01. I wasn't under the impression that Toastman firmwares had this implemented (but others did), for many reasons (this one included).

    In the interim, the workaround for your situation is just to specify as much of the string as you can, with no regex. It may or may not work (I explained this to the people who wanted to use xt_string.ko in the first place), because how xt_string.ko works is COMPLETELY different than how web.ko works. I outlined this in the "big-ass discussion" that was prompted from people bitching/crying that they couldn't block HTTPS sites. There is a lot of highly technical information there, and it is a very long thread, but if you want answers to all this nonsense, they are in there.

    xt_string.ko literally looks for any sequence of characters (the ones you provide) within a byte range of the raw packet (in this case, bytes 1 through 600). One of the problems is if the string you're trying to match falls on a boundary region the match isn't made (understandably). For example: trying to block "helloworld.com", where due to HTTP client header size variance, the Host: header ends up falling on byte 590, you end up with:

    byte[590]: H
    byte[591]: o
    byte[592]: s
    byte[593]: t
    byte[594]: :
    byte[595]: {space}
    byte[596]: h
    byte[597]: e
    byte[598]: l
    byte[599]: l
    byte[600]: o -- matching stops here due to limited range, thus match fails
    byte[601]: w
    byte[602]: o
    byte[603]: r
    byte[604]: l
    byte[605]: d
    byte[606]: \n

    Now before some jackass shows up here and says "so what's the problem? Just increase the range from 1-600 to 1-4000 or something and now it works, right?": wrong. The larger the byte range scanning, the longer it takes to examine the packet, the higher the CPU usage (substantially), and also the more likely you end up getting "false positives" (for example, think about an HTTP Cookie that contains the string "helloworld.com" even though that may not be the site you're visiting -- that would get blocked! Or a web page that just happened to have a link or mention of "helloworld.com" -- would you want that blocked? Some would, some wouldn't). Furthermore, the byte range should have a maximum limit of the MTU (and that can vary per system/environment), so just some arbitrary value isn't going to work properly for everyone (too large a size I believe would crash the kernel).

    web.ko actually tries its best to make sure it's only looking at HTTP packets, and will check against the GET request string (from the client), as well as the HTTP Host: header, and then the actual HTTP content body. It looks for very specific "parts" of an HTTP request and only checks those. The problems with web.ko is that it pays strict attention to HTTP-like packets and does not support HTTPS -- and the next part explains why it can't easily be improved in this regard -- and also contains very few comments for a large amount of code that involves some not-easy-to-follow/understand string parsing mechanisms in C (it is not as simple as just strcmp() or the like; see above, re: how it only examines certain parts of an HTTP request).

    I will try to spend some time in the next week or two digging through the differences between 1.28.0500.x and 1.28.0505.x to determine how this got in there. Adding support for xt_string.ko (i.e. including it as a built netfilter module) is all that (IMO) should have been done so that people who wanted to use it for raw string matching in packets could manually write their own iptables rules to do that (such as for HTTPS blocking), not Access Restrictions actually using that module (instead it should have kept using web.ko, which supports what's shown in the GUI).
     
    Quad5Ny likes this.
  12. jerrm

    jerrm Network Guru Member

    FWIW. I don't remember discussion of this in Toastman's thread either, but could easily be wrong.

    The xt_string module was added in March 2013. The actual rule changes were in August: http://repo.or.cz/w/tomato.git/commit/aea53b57f8a62970920d19aaf2f169d52765c7dc.

    Based on how the commit was labeled, I wonder if this rule change didn't slip through unintentionally. It just doesn't seem like a Toastman kind of change.

    EDIT - comparing commits to release notes, adding the string module is explicitly listed in the March notes. The rule change commit went "live" with 7503/0503 in Sept 2013. The commit title was listed in the changelog, but made no direct reference to "https/ssl filtering" or similar.
     
    Last edited: May 2, 2014
    Quad5Ny likes this.
  13. koitsu

    koitsu Network Guru Member

    Thanks for digging, @jerrm. Yeah, that sounds like an unintentional change on Toastman's part, i.e. he merged changes from one branch or tag into his, and got more than he intended/bargained for. Mistakes happen, especially in complex projects.

    That comment in question should be backed out (for Toastman builds) so that continued reliance on web.ko remains. However, the building of xt_string.ko (either built-in or as a module, doesn't matter to me which) should definitely be retained so that people can make their own iptables rules using modprobe xt_string && iptables -m string ... if they wish.

    That original patch I submitted was here:

    http://www.linksysinfo.org/index.ph...ction-block-https-websites.45988/#post-208338

    I went with statically including xt_string via CONFIG_NETFILTER_XT_MATCH_STRING=y (rather than as a module, ex. CONFIG_NETFILTER_XT_MATCH_STRING=m) because of problems I personally witnessed:

    http://www.linksysinfo.org/index.ph...ction-block-https-websites.45988/#post-198099

    However, I believe Shibby was able to get the module-ised version working, I just don't know what other tweaks may be needed for that.

    Anyway sorry for the rambling. Point is, the commit @jerrm found should be reverted, which should allow web.ko to work correctly / regex supported / proper HTTP matching to occur. It will not, however, as discussed, work with HTTPS.
     
  14. Quad5Ny

    Quad5Ny Connected Client Member

    Thanks Mihai, koitsu, jerrm and kthaddock. You guys have put more effort into a quick question than any other forum I've ever posted on. Yay open source!
     
  15. Toastman

    Toastman Super Moderator Staff Member Member

    Hi Guys

    Yes, you are quite right, this was an completely unintentional change. As Koitsu said, I saw the potential problems outweighed the benefits and had deliberately decided not to actually use the string module, but to compile it for those who wanted to experiment. I'm not sure now why this commit got into the source, possibly temporary insanity on my part and bad checking. I will revert it soon. Thanks to Jerrm for finding the commit.

    Apologies for the inconvenience.
     
    koitsu likes this.

Share This Page