fix order of rules

libremesh · Sep 24, 2024 · 358c203 · 358c203
1 parent 1874558
commit 358c203
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 33 deletions.
diff --git a/packages/pirania/Readme.md b/packages/pirania/Readme.md
@@ -211,24 +211,3 @@ The flow without using vouchers (read for access mode) is:
 * Once there if the client has js support then a countdown of 15 seconds is shown and when it reaches 0 the user can click on continue, which sends a GET request to `http://minodo.info/cgi-bin/pirania/authorize_mac?prev=http%3A%2F%2Foriginal.org%2Fbaz%2F%3Ffoo%3Dbar`
 which will trigger a redirection to `prev` url.
 * If there the client has no js support, then the buttonis enabled inmediately, and after clicking in continue a redirection to `url_authenticated` is triggered.
-
-### Common errors
-
-If you flashed an old device (e.g. TP-Link Archer C50 V1) you may need to update some files.
-
-#### 1) opkg update gives error
-when you run `opkg update` and this error occur:
-``` 
-Collected errors:
- * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/libremesh/Packages.gz, wget returned 8.
- * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/profiles/Packages.gz, wget returned 8.`
-```
-Do the following:
-```
--> on the router, at the file `/etc/opkg/distfeeds.conf` comment the following lines:
-src/gz libremesh_libremesh http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/libremesh
-src/gz libremesh_profiles http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/profiles
-```
-
-#### 2) 
-
diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal
@@ -39,23 +39,19 @@ set_nftables () {
 	# Only accept packets from interfaces defined in catch_bridged_interfaces
 	catch_interfaces=$(uci get pirania.base_config.catch_bridged_interfaces | sed 's/ /,/g')
 
-	nft add rule inet pirania prerouting meta l4proto tcp tcp dport 22 accept
-
+	# stop processing the chain for authorized macs and allowed ips (so they are accepted)
+	nft add rule inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter log prefix "ValidSMAC" accept
+	nft add rule inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter log prefix "ACCEPT-ipv4" accept
+	nft add rule inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 ct state new,established,related counter log prefix "ACCEPT-ipv6" accept
 
+	# send DNS requests, that are not from valid ips or macs, to our own captive portal DNS at 59053
 	nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ether saddr != @pirania-auth-macs ct state new,established,related counter log prefix "SMACDNS"  redirect to :59053
-	#nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs ct state new,established,related counter log prefix "SMACHTTP"  redirect to :59080
+	# redirect packets with dest port 80 to port 59080 of this host (the captive portal page).
+	nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs ct state new,established,related counter log prefix "SMACHTTP"  redirect to :59080
 
-	nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter log prefix "IPv4HTTP" redirect to :59080
+	#nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter log prefix "IPv4HTTP" redirect to :59080
 	#nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr  @pirania-allowlist-ipv6 ct state new,established,related counter log prefix "IPV6HTTP" redirect to :59080
 
-	# Allow MACs already registered
-	nft add rule inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter log prefix "ValidSMAC" accept
-
-
-
-	#nft add rule inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter log prefix "ACCEPT-ipv4" accept
-	#nft add rule inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 ct state new,established,related counter log prefix "ACCEPT-ipv6" accept
-
 	#nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter redirect to :59053
 	#nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 ct state new,established,related counter redirect to :59053
 
@@ -76,6 +72,7 @@ update_ipsets () {
   # Add authorized MAC addresses
   for mac in $(pirania_authorized_macs) ; do
     nft add element inet pirania pirania-auth-macs {$mac}
+	echo "Adicionando enderecos:" $mac
   done
 
   # Update pirania-allowlist sets for ipv4 and ipv6