Multi Wan + Web content filter

Valeriy · July 15, 2018, 8:23am

**NethServer Version: 7.5.1804
**Module:Multi Wan + Web content filter
Tell me how to automate the switching of Multi Wan + Web content filter?
It is necessary that if you turn off red1 and turn on red2 (slow backup channel), the Web content filter with the profile is disabled, except for everything …
Is it possible to do this?

Подскажите как автоматизировать переключение Multi Wan + Web content filter?
Нужно, что бы при отключении red1 и включении red2 (медленный резервный канал) включался Web content filter с профилем запрещено все, кроме …
Возможно так сделать?

m.traeumner · July 16, 2018, 9:56am

@support_team Has somebody an idea?

dnutan · July 16, 2018, 6:09pm

I didn’t understand this part of the explanation, can you reformulate it?

If you want to disable the web content filter when red2 is in use, I don’t know the exact way but think it could be possible adding a new action script to wan-uplink-update event. nethserver-shorewall-wan-update action could be useful as an example.

Valeriy · July 17, 2018, 5:32am

When red 2 is turned on (slow channel), I want the web content filter to be enabled, everything except the whitelist is disabled.

dnutan · July 22, 2018, 3:53pm

A follow-up on the idea but still unsure if it’s exactly what you want to achieve…
Script is untested (don’t have multi-wan setup to try it on and I’m not used to make bash scripts). To try on a test environment (not on a production server).

Server Setup: one green (LAN) network, multi-wan in active-backup mode with 2 wan interfaces (named red1 and red2), web content filter.

Objective: when red1 connection goes down, red2 goes up and web content filter profiles are “disabled”, leaving the web content filter active with default profile and the global blacklist/whitelist active as well.

(Pseudo)Solution: create an action to “disable” web content filter profiles and link it to the wan-uplink-update event.

Web content filter profiles don’t have a prop to enable/disable them, so a workaround could be to create a short-lived time condition and link it to the profiles we want to disable. In fact the profiles won’t be disabled, but they will only take effect within the short time span specified in the time condition.

For this use case a time condition named inactivity (for instance: Sunday from 23:00 to 23:01) is created from the server-manger UI. Profiles are configured from the server-manager without specifying any time condition. If you already make use of profiles linked to time conditions the following approach won’t suit you, as the script disassociates profiles from time conditions (although you can customize it).

Here we use nethserver-shorewall-wan-update action script as basis for our own script (lsm-wan-update script can complement the example). The copied file will retain permissions (read-only, execution bit…):

cp /etc/e-smith/events/actions/{nethserver-shorewall-wan-update,nethserver-ufdbguard-wan-update}
vi /etc/e-smith/events/actions/nethserver-ufdbguard-wan-update

Content of nethserver-ufdbguard-wan-update:

#!/bin/bash
#
# Copyright (C) 2014 Nethesis S.r.l.
# http://www.nethesis.it - support@nethesis.it
#
# This script is part of NethServer.
#
# NethServer is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License,
# or any later version.
#
# NethServer is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with NethServer.  If not, see <http://www.gnu.org/licenses/>.
#
#
# Original work
# (C) 2009,2013 Mika Ilmaranta <ilmis@nullnet.fi>
# Copyright © 2009-2010 Tuomo Soini <tis@foobar.fi>
#

#
# event handling script for use with shorewall multi-isp setup
# To be able to utilize this script you must have shorewall >= 4.4.23.3
#

# Skip event name
shift;

STATE=${1}
NAME=${2}
CHECKIP=${3}
DEVICE=${4}
WARN_EMAIL=${5}
REPLIED=${6}
WAITING=${7}
TIMEOUT=${8}
REPLY_LATE=${9}
CONS_RCVD=${10}
CONS_WAIT=${11}
CONS_MISS=${12}
AVG_RTT=${13}
SRCIP=${14}
PREVSTATE=${15}
TIMESTAMP=${16}

DEVICE=`/sbin/e-smith/db networks getprop ${NAME} interface`
KEYS=(`/sbin/e-smith/db contentfilter keys`)

if [[ ${STATE} = ${PREVSTATE} ]]; then
    exit 0
fi

if [[ ${STATE} = "up" ]] && [[ ${NAME} = "red2" ]]; then
    # "disable" web content filter profiles
    for KEY in ${KEYS[@]}; do
        KEYTYPE=`/sbin/e-smith/db contentfilter gettype ${KEY}`
        if [[ ${KEYTYPE} = "profile" ]] && [[ ${KEY} != "default_profile" ]]; then
            /sbin/e-smith/db contentfilter setprop ${KEY} Time 'time;inactivity'
        fi
    done
else
    # "enable" web content filter profiles
    for KEY in ${KEYS[@]}; do
        KEYTYPE=`/sbin/e-smith/db contentfilter gettype ${KEY}`
        if [[ ${KEYTYPE} = "profile" ]] && [[ ${KEY} != "default_profile" ]]; then
            /sbin/e-smith/db contentfilter delprop ${KEY} Time
        fi
    done
fi

/sbin/e-smith/signal-event nethserver-squidguard-save

exit 0;

Save the read-only file and exit vi with :wq!

Link the action to the event:

cd /etc/e-smith/events/wan-uplink-update/
ln -s ../actions/nethserver-ufdbguard-wan-update S50nethserver-ufdbguard-wan-update

Test it, fix it, adapt it.
Sure there are better solutions but this is the first one that came to mind.