From 72461a9ea71929bd48c327e25525093f8765dda3 Mon Sep 17 00:00:00 2001
From: Vicente <victek@tomatoraf.com>
Date: Sun, 16 Jun 2013 23:00:15 +0200
Subject: [PATCH] ACCESS RESTRICTION: Check chain blank before delete. Patch
 from EasyTomato trunk.

---
 release/src/router/rc/restrict.c | 42 ++++++++++++++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 8 deletions(-)

diff --git a/release/src/router/rc/restrict.c b/release/src/router/rc/restrict.c
index 21d00a0bf8..ca8accf8c1 100644
--- a/release/src/router/rc/restrict.c
+++ b/release/src/router/rc/restrict.c
@@ -2,23 +2,24 @@
 
 	Tomato Firmware
 	Copyright (C) 2006-2009 Jonathan Zarate
+	Portions rebuild by victek@tomato.raf, 2013. String chain restriction
 
 */
 
 #include "rc.h"
 #include <time.h>
-
+#include <string.h> 
 
 #define MAX_NRULES	50
 
 static inline void unsched_restrictions(void)
 {
-	eval("cru", "d", "rcheck");
+	system("cru d rcheck");
 }
 
-inline void sched_restrictions(void)
+void sched_restrictions(void)
 {
-	eval("rcheck");
+	system("rcheck");
 }
 
 static int in_sched(int now_mins, int now_dow, int sched_begin, int sched_end, int sched_dow)
@@ -179,7 +180,7 @@ int rcheck_main(int argc, char *argv[])
 
 	if (count > 0) {
 		if ((argc != 2) || (strcmp(argv[1], "--cron") != 0)) {
-			eval("cru", "a", "rcheck", "*/15 * * * * rcheck --cron");
+			system("cru a rcheck '*/15 * * * * rcheck --cron'");
 		}
 	}
 	else {
@@ -221,6 +222,7 @@ void ipt_restrictions(void)
 	int blockall;
 	char reschain[32];
 	char devchain[32];
+	char strchain[32];
 	char nextchain[32];
 	int need_web;
 	char *pproto;
@@ -378,7 +380,13 @@ void ipt_restrictions(void)
 			}
 		}
 
-		//
+// Build chain to perform string matching 
+		sprintf(strchain, "rstr%02d", nrule);
+		ip46t_write(":%s - [0:0]\n", strchain);
+		
+// Multiport match for ports 53,80,443 goto strchain 
+		ip46t_write("-A %s -p tcp -m multiport --dports 53,80,443 -j %s\n", reschain, strchain);
+		ip46t_write("-A %s -p udp --dport 53 -j %s\n", reschain, strchain);
 
 		p = http;
 		while (*p) {
@@ -396,7 +404,24 @@ void ipt_restrictions(void)
 				*p = 0;
 			}
 			else p = NULL;
-			ip46t_write("-A %s -p tcp -m web --hore \"%s\" -j %s\n", reschain, http, chain_out_reject);
+
+// Trim trailing whitespace from http
+			char *p2 = http + strlen(http) - 1;
+			while (*p2 == ' ')
+			{
+			     *p2-- = '\0';
+			}
+
+// Split the string delimited by whitespace.  Each substring should be a new iptables entry.
+			char delim[] = " ";
+			p2 = strtok(http, delim);
+			while (p2 != NULL)
+			{
+			  ip46t_write("-I %s 1 -p tcp -m string --string \"%s\" --algo bm  --from 1 --to 600 -j %s\n", strchain, p2, chain_out_reject);
+			  ip46t_write("-I %s 1 -p udp -m string --string \"%s\" --algo bm  --from 1 --to 600 -j REJECT\n", strchain, p2);
+			     p2 = strtok(NULL, delim);
+			}
+			
 			need_web = 1;
 			blockall = 0;
 			if (p == NULL) break;
@@ -418,7 +443,8 @@ void ipt_restrictions(void)
 
 		if (*comps) {
 			if (blockall) {
-				ip46t_write("-X %s\n", reschain);	// chain not needed
+				ip46t_write("-F %s\n", reschain); // https://github.com/ReliefLabs/EasyTomato/
+				ip46t_write("-X %s\n", reschain); // chain not needed
 				sprintf(nextchain, "-j %s", chain_out_drop);
 			}
 			else {
-- 
2.11.4.GIT