From 35e1cbd15b71964828d8c0cf913d107112d72d1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thibaut=20VAR=C3=88NE?= Date: Wed, 31 May 2023 10:36:40 +0200 Subject: [PATCH] uspot: use a single fwmark MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Default firewall rules apply to unauthenticated clients, there is no need to specifically fwmark their packets. This reduces the firewall complexity and makes very clear what happens "by default". Add a preliminary README with a sample firewall illustrating this setup. Signed-off-by: Thibaut VARĂˆNE --- feeds/ucentral/uspot/README.md | 65 +++++++++++++++++++ feeds/ucentral/uspot/files/usr/bin/captive | 4 +- .../uspot/files/usr/share/uspot/firewall.ipt | 2 +- .../uspot/files/usr/share/uspot/firewall.nft | 2 +- 4 files changed, 68 insertions(+), 5 deletions(-) create mode 100644 feeds/ucentral/uspot/README.md diff --git a/feeds/ucentral/uspot/README.md b/feeds/ucentral/uspot/README.md new file mode 100644 index 000000000..b03c82f2d --- /dev/null +++ b/feeds/ucentral/uspot/README.md @@ -0,0 +1,65 @@ +# uspot + +A captive portal + +## + +TBC + +## Basic firewall setup + +In /etc/config/firewall: + +``` +config zone + option name 'captive' + list network 'captive' + option input 'REJECT' + option output 'ACCEPT' + option forward 'REJECT' + +config redirect + option name 'Redirect-unauth-captive-CPD' + option src 'captive' + option src_dport '80' + option proto 'tcp' + option target 'DNAT' + option reflection '0' + option mark '!1/127' + +config rule + option name 'Allow-captive-CPD-UAM' + option src 'captive' + option dest_port '80 3990' + option proto 'tcp' + option target 'ACCEPT' + +config rule + option name 'Forward-auth-captive' + option src 'captive' + option dest 'wan' + option proto 'any' + option target 'ACCEPT' + option mark '1/127' + +config rule + option name 'Allow-DHCP-captive' + option src 'captive' + option proto 'udp' + option dest_port '67' + option target 'ACCEPT' + +config rule + option name 'Allow-DNS-captive' + option src 'captive' + list proto 'udp' + list proto 'tcp' + option dest_port '53' + option target 'ACCEPT' + +config include + option type 'nftables' + option path '/usr/share/uspot/firewall.nft' + option position 'chain-post' + option chain 'mangle_postrouting' +``` diff --git a/feeds/ucentral/uspot/files/usr/bin/captive b/feeds/ucentral/uspot/files/usr/bin/captive index c92b35c7d..3e69a40cb 100755 --- a/feeds/ucentral/uspot/files/usr/bin/captive +++ b/feeds/ucentral/uspot/files/usr/bin/captive @@ -51,11 +51,9 @@ function generate_spotfilter(name) { { index: 0, device_macaddr, - fwmark: 1, - fwmark_mask: 127 }, { index: 1, - fwmark: 2, + fwmark: 1, fwmark_mask: 127 } ]; diff --git a/feeds/ucentral/uspot/files/usr/share/uspot/firewall.ipt b/feeds/ucentral/uspot/files/usr/share/uspot/firewall.ipt index 3023396ad..39b49ccaf 100644 --- a/feeds/ucentral/uspot/files/usr/share/uspot/firewall.ipt +++ b/feeds/ucentral/uspot/files/usr/share/uspot/firewall.ipt @@ -1,3 +1,3 @@ *mangle --A POSTROUTING -m mark --mark 0x2 -j CONNMARK --set-mark 0x2 +-A POSTROUTING -m mark --mark 0x1 -j CONNMARK --set-mark 0x2 COMMIT diff --git a/feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft b/feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft index 993a48004..57b89cf9c 100644 --- a/feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft +++ b/feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft @@ -1 +1 @@ -mark 0x2 ct mark set 0x2 +mark 0x1 ct mark set 0x2