The parental control project contains four utilities to get white and black lists from RKN service and completely isolate one certain host from denied resources. Utilities installed at the router between the host and uplink.
-
SOAP-client for RKN service, gets b/w lists, parses them and fills the redis cache.
-
watches all DNS traffic, collects A-records, and checks resolved hosts by b/w lists.
If the record in the answer is not denied then it puts to the white IP list with resolved TTL.
-
sniffs all traffic and for denied IP or hostname detection.
-
the testing tool for regularly checking the quality of other parts working. It gets the accessibility of hosts by their list in Redis, runs goroutines with HTTP-clients, and collects status codes.
It can be run from the docker container for routing all traffic through the router's firewall.
Traffic to sniffers redirects by the nf_queue kernel module. All traffic rejects by default
except DNS requests and answers. NF-tables rules have a list of allowed IP addresses.
Every record in the list has a TTL and deletes when this time is expired.
Also, there are the lists filled manually and imported to the rules.
Utilities control the firewall with internal library internal/fw.
Predefined useful nftables configs located in configs/nftables