Both Tomato and DD-Wrt include a netfilter/iptables module to match URLs in HTTP requests, but in order to filter HTTP requests in OpenWrt, the only solution is to use a proxy like tinyproxy or squid. This option, while technically superior, takes up a lot of space and is not suitable for many smaller routers. I've attempted to correct this in the upcoming Beta 3 release of Gargoyle, my web interface for OpenWrt.
The main reason that the webstr module (from DD-Wrt) or the web module (from tomato) is not included in OpenWrt is that these are not compatible with the newer 2.6 kernels, which are used by everything except the broadcom routers. For this reason I've written a new iptables match module -- weburl -- which is compatible with both 2.6 and 2.4 kernels as well as iptables versions 1.3.x and 1.4.x. Additionally, this module can match urls based on standard string matching, or based on regular expression matching (I make use of the same regex library the layer7 match module uses).
This prevents connection to any website that contains gargoyle in the url:
iptables -I FORWARD -m weburl --contains "gargoyle" -j DROP
This will block both gargoyle-router.com & google.com :
iptables -I FORWARD -m weburl --contains_regex "g.*le" -j DROP
Before you can use this, however you may need to run "insmod ipt_weburl" to load the necessary kernel module. You can check if it's loaded using lsmod.
In order to install this new matching capability, you need to install two packages: kmod-ipt-weburl & iptables-mod-weburl. The Kamikaze 7.09 broadcom packages can be found here and here, and the Kamikaze 7.09 atheros packages can be found here and here.
Now, I'm sure you're wondering, what about the openwrt trunk? Kamikaze 7.09 is old! Well, because the trunk is continually changing you'll need to patch it yourself, which brings me to the next innovation: a script for automatically integrating netfilter match modules into OpenWrt. This script automatically edits the necessary config and Makefiles so you don't have to do it by hand. Here's how it works:
An iptables match module consists of 3 parts of code 1) the netfilter code (kernel module), 2) the iptables extension code (userspace code) and 3) the header file they share. So, you need to setup a directory containing a different subdirectory for every match module you want to integrate, and within the directory for every match module you need 3 directories, "module", "extension" and "header". You also need a text file that contains the name of the module, which is necessary to refer to it in the necessary configuration files. You run the script passing it 2 arguments, first the location of your buildroot directory and second, the location of the directory just discussed containing the code for the new match modules. In order for the script to work, you must have already configured the version of openwrt you are going to build, i.e. you must have a .config file in your buildroot directory. This is because the script dynamically downloads and generates patches for the kernel code and iptables code that will be incorporated into openwrt, and this is dependent on how you have configured your build. The downloaded code is saved in the dl directory where it will be used later by the build process, which would have downloaded it eventually anyway. The best way to use this is to run make menuconfig to configure your build, run the script, and then run make menuconfig again to configure which of the new modules to build.
There are two versions of this integration script, one for Kamikaze 7.09 and one for the current OpenWrt trunk. The necessary code for the weburl module can be downloaded here. Because this code will be part of the new access restrictions section of Gargoyle, you can also find all of it in the latest trunk from the Gargoyle SVN (https://svn.assembla.com/svn/gargoyle-router/trunk). Note this new section of Gargoyle hasn't been implemented yet, even in the SVN -- you'll have to wait until early November when I plan on releasing Beta 3.