From a2efe1b5d86d510f659ae04e61c9d5f218e2c679 Mon Sep 17 00:00:00 2001 From: henmohr Date: Mon, 1 Jul 2024 16:16:54 -0300 Subject: [PATCH 01/24] Update Readme.md --- packages/pirania/Readme.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/packages/pirania/Readme.md b/packages/pirania/Readme.md index a2df5f888..cb5841829 100644 --- a/packages/pirania/Readme.md +++ b/packages/pirania/Readme.md @@ -211,3 +211,24 @@ The flow without using vouchers (read for access mode) is: * Once there if the client has js support then a countdown of 15 seconds is shown and when it reaches 0 the user can click on continue, which sends a GET request to `http://minodo.info/cgi-bin/pirania/authorize_mac?prev=http%3A%2F%2Foriginal.org%2Fbaz%2F%3Ffoo%3Dbar` which will trigger a redirection to `prev` url. * If there the client has no js support, then the buttonis enabled inmediately, and after clicking in continue a redirection to `url_authenticated` is triggered. + +### Common errors + +If you flashed an old device (e.g. TP-Link Archer C50 V1) you may need to update some files. + +#### 1) opkg update gives error +when you run `opkg update` and this error occur: +``` +Collected errors: + * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/libremesh/Packages.gz, wget returned 8. + * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/profiles/Packages.gz, wget returned 8.` +``` +Do the following: +``` +-> on the router, at the file `/etc/opkg/distfeeds.conf` comment the following lines: +src/gz libremesh_libremesh http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/libremesh +src/gz libremesh_profiles http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/profiles +``` + +#### 2) + From 7896ccadf10e69073f4f07baf0ca0d715dcf87c2 Mon Sep 17 00:00:00 2001 From: henmohr Date: Wed, 3 Jul 2024 13:01:26 -0300 Subject: [PATCH 02/24] Update captive-portal --- packages/pirania/files/usr/bin/captive-portal | 122 +++++------------- 1 file changed, 29 insertions(+), 93 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index a97210d1a..747bb2730 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -1,111 +1,48 @@ #!/bin/sh -# requires ip6tables-mod-nat and ipset +# requires nftables and ipset + clean_tables () { echo "Cleaning captive-portal rules" - for iface in $(uci get pirania.base_config.catch_bridged_interfaces); do - ebtables -t nat -D PREROUTING -i $iface -j mark --mark-set 0x9124714 - done - - for ipvX in ipv4 ipv6 ; do - if [ "$ipvX" = "ipv4" ] ; then - iptables=iptables - family=inet - ipaddr=ipaddr - else - iptables=ip6tables - family=inet6 - ipaddr=ip6addr - fi - - $iptables -t mangle -D PREROUTING -m mark --mark 0x9124714 -j pirania - - for interface in $(uci get pirania.base_config.catch_interfaces); do - $iptables -t mangle -D PREROUTING -i $interface -j pirania - done - - $iptables -t nat -D PREROUTING -j pirania - $iptables -t filter -D FORWARD -j pirania - for table in mangle nat filter; do - $iptables -t $table -F pirania - $iptables -t $table -X pirania - done - done + nft flush chain inet pirania prerouting + nft flush chain inet pirania input + nft flush chain inet pirania forward + nft delete table inet pirania } clean_sets () { ipset flush pirania-auth-macs - for ipvX in ipv4 ipv6 ; do - ipset flush pirania-allowlist-$ipvX - done + ipset flush pirania-allowlist-ipv4 + ipset flush pirania-allowlist-ipv6 } -set_iptables () { +set_nftables () { echo "Apply captive-portal rules" - append_ipt_rules=$(uci get pirania.base_config.append_ipt_rules 2> /dev/null) - if [ "$append_ipt_rules" = "1" ] ; then - AorI="A" + append_nft_rules=$(uci get pirania.base_config.append_nft_rules 2> /dev/null) + if [ "$append_nft_rules" = "1" ] ; then + op="add rule" else - AorI="I" + op="insert rule" fi - # Mark every packet from catch_bridged_interfaces to be handled later. - # bridged interfaces cant be handled by iptables. - for iface in $(uci get pirania.base_config.catch_bridged_interfaces); do - ebtables -t nat -$AorI PREROUTING -i $iface -j mark --mark-set 0x9124714 - done + nft add table inet pirania + nft add chain inet pirania prerouting { type nat hook prerouting priority 0 \; } + nft add chain inet pirania input { type filter hook input priority 0 \; } + nft add chain inet pirania forward { type filter hook forward priority 0 \; } - for ipvX in ipv4 ipv6 ; do - if [ "$ipvX" = "ipv4" ] ; then - iptables=iptables - family=inet - anygw=$(uci get network.lm_net_br_lan_anygw_if.ipaddr) - else - iptables=ip6tables - family=inet6 - anygw=[$(uci get network.lan.ip6addr | cut -d/ -f1)] - fi - - ### Buildup: create a pirania chain in each table - for table in mangle nat filter; do - $iptables -t $table -N pirania - done - - # Redirect to pirania chain every packet from catch_bridged_interfaces - if [ -n "$(uci get pirania.base_config.catch_bridged_interfaces)" ] ; then - $iptables -t mangle -$AorI PREROUTING -m mark --mark 0x9124714 -j pirania - fi - - # Redirect to pirania chain every packet from catch_interfaces - for interface in $(uci get pirania.base_config.catch_interfaces); do - $iptables -t mangle -$AorI PREROUTING -i $interface -j pirania - done - - # stop processing the chain for authorized macs and allowed ips (so they are accepted) - $iptables -t mangle -A pirania -m set --match-set pirania-auth-macs src -j RETURN - $iptables -t mangle -A pirania -m set --match-set pirania-allowlist-$ipvX dst -j RETURN + # Redirect to pirania chain every packet from catch_interfaces + for interface in $(uci get pirania.base_config.catch_bridged_interfaces); do + nft $op inet pirania prerouting iifname $interface counter jump pirania + done - # mark other packages to be rejected later - $iptables -t mangle -A pirania -j MARK --set-mark 0x66/0xff - # except their dest port is 80, in this case mark to be redirected later - $iptables -t mangle -A pirania -p tcp -m tcp --dport 80 -j MARK --set-mark 0x80/0xff + # stop processing the chain for authorized macs and allowed ips (so they are accepted) + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 ip6 saddr @pirania-allowlist-ipv6 ether saddr @pirania-auth-macs counter redirect to :59080 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 ip6 saddr @pirania-allowlist-ipv6 ether saddr @pirania-auth-macs counter redirect to :59053 - # marked packages reach nat-prerouting table, send them to nat-pirania chain. - $iptables -t nat -$AorI PREROUTING --jump pirania - - # in nat-pirania chain do: - # send DNS requests, that are not from valid ips or macs, to our own captive portal DNS at 59053 - $iptables -t nat -A pirania -p udp -m set ! --match-set pirania-allowlist-$ipvX src -m set ! --match-set pirania-auth-macs src --dport 53 -j DNAT --to-destination $anygw:59053 - # redirect packets with dest port 80 to port 59080 of this host (the captive portal page). - $iptables -t nat -A pirania -p tcp -m tcp -m mark --mark 0x80/0xff -j REDIRECT --to-ports 59080 - - # Other packets, if intended to be forwarded will reach filter-forward chain, send them to filter-pirania chain. - $iptables -t filter -$AorI FORWARD --jump pirania - # And in there let's reject them with the best suited reject reason. - $iptables -t filter -A pirania -p tcp -m mark --mark 0x66/0xff -j REJECT --reject-with tcp-reset - $iptables -t filter -A pirania -m mark --mark 0x66/0xff -j REJECT - done + # And in there let's reject them with the best suited reject reason. + nft $op inet pirania forward meta mark 0x66/0xff counter reject with tcp reset + nft $op inet pirania forward meta mark 0x66/0xff counter reject } update_ipsets () { @@ -143,7 +80,7 @@ if [ "$1" = "start" ]; then echo "Running captive-portal" clean_tables update_ipsets - set_iptables + set_nftables exit elif [ "$1" = "update" ] ; then update_ipsets @@ -155,10 +92,9 @@ elif [ "$1" = "clean" ] || [ "$1" = "stop" ] ; then elif [ "$enabled" = "1" ]; then clean_tables update_ipsets - set_iptables + set_nftables exit else echo "Pirania captive-portal is disabled. Try running captive-portal start" exit fi - From 356fd7d285120377f93c7156818733ca44e8cf57 Mon Sep 17 00:00:00 2001 From: henmohr Date: Mon, 8 Jul 2024 22:36:26 -0300 Subject: [PATCH 03/24] add comments --- packages/pirania/files/usr/bin/captive-portal | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 747bb2730..80fd6235b 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -11,6 +11,7 @@ clean_tables () { } clean_sets () { + echo "Cleaning ipset lists" ipset flush pirania-auth-macs ipset flush pirania-allowlist-ipv4 ipset flush pirania-allowlist-ipv6 @@ -18,7 +19,7 @@ clean_sets () { set_nftables () { echo "Apply captive-portal rules" - + # Detect wheter add or insert rules append_nft_rules=$(uci get pirania.base_config.append_nft_rules 2> /dev/null) if [ "$append_nft_rules" = "1" ] ; then op="add rule" @@ -26,6 +27,7 @@ set_nftables () { op="insert rule" fi + # Create default tables and chains nft add table inet pirania nft add chain inet pirania prerouting { type nat hook prerouting priority 0 \; } nft add chain inet pirania input { type filter hook input priority 0 \; } From e460e57704e3669f2d64ec9e009dc37658b8b891 Mon Sep 17 00:00:00 2001 From: Henrique Mohr Date: Fri, 12 Jul 2024 15:44:25 -0300 Subject: [PATCH 04/24] uncomment because its used in captive-portal script --- .gitignore | 3 ++- packages/pirania/files/etc/config/pirania | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 8af25e1f1..86006527d 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,8 @@ build luacov.stats.out tools/ansible/files/generic-rootfs.tar.gz tools/ansible/files/ramfs.bzImage - +deploy-pirania.sh +updatepkg.sh # Vim text editor swap files **/*~ diff --git a/packages/pirania/files/etc/config/pirania b/packages/pirania/files/etc/config/pirania index 9fdfb24b5..e4653af14 100644 --- a/packages/pirania/files/etc/config/pirania +++ b/packages/pirania/files/etc/config/pirania @@ -16,7 +16,7 @@ config base_config 'base_config' list allowlist_ipv6 'fc00::/7' list allowlist_ipv6 'fe80::/64' list allowlist_ipv6 '2a00:1508:0a00::/40' - # list catch_interfaces 'br-lan' + list catch_interfaces 'br-lan' # list catch_interfaces 'anygw' list catch_bridged_interfaces 'wlan0-ap' From 62f37339f03a058cb45a984f07a99b436a594a89 Mon Sep 17 00:00:00 2001 From: Henrique Mohr Date: Fri, 12 Jul 2024 15:46:15 -0300 Subject: [PATCH 05/24] change append_ipt_rules to append_nft_rules --- packages/pirania/files/etc/config/pirania | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/pirania/files/etc/config/pirania b/packages/pirania/files/etc/config/pirania index e4653af14..147d1990b 100644 --- a/packages/pirania/files/etc/config/pirania +++ b/packages/pirania/files/etc/config/pirania @@ -8,7 +8,7 @@ config base_config 'base_config' option url_fail '/portal/fail.html' option db_path '/etc/pirania/vouchers/' option hooks_path '/etc/pirania/hooks/' - option append_ipt_rules '0' # if set to 1, iptables rules will be Appended instead of Inserted + option append_nft_rules '0' # if set to 1, iptables rules will be Appended instead of Inserted option with_vouchers '0' list allowlist_ipv4 '10.0.0.0/8' list allowlist_ipv4 '172.16.0.0/12' From 6786e6e39c060c46d91f6c36ebcbf54b81a0434b Mon Sep 17 00:00:00 2001 From: Henrique Mohr Date: Mon, 15 Jul 2024 15:58:20 -0300 Subject: [PATCH 06/24] Update portal-captive script --- packages/pirania/files/usr/bin/captive-portal | 105 ++++++++++++------ 1 file changed, 73 insertions(+), 32 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 80fd6235b..332d4eee6 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -1,5 +1,5 @@ #!/bin/sh -# requires nftables and ipset +# requires nftables, liblucihttp0, liblucihttp-lua, uhttpd and uhttpd-mod-lua clean_tables () { @@ -10,12 +10,13 @@ clean_tables () { nft delete table inet pirania } -clean_sets () { - echo "Cleaning ipset lists" - ipset flush pirania-auth-macs - ipset flush pirania-allowlist-ipv4 - ipset flush pirania-allowlist-ipv6 -} +# Not needed anymore, since we are using nft set +#clean_sets () { +# echo "Cleaning ipset lists" +# ipset flush pirania-auth-macs +# ipset flush pirania-allowlist-ipv4 +# ipset flush pirania-allowlist-ipv6 +#} set_nftables () { echo "Apply captive-portal rules" @@ -43,37 +44,77 @@ set_nftables () { nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 ip6 saddr @pirania-allowlist-ipv6 ether saddr @pirania-auth-macs counter redirect to :59053 # And in there let's reject them with the best suited reject reason. - nft $op inet pirania forward meta mark 0x66/0xff counter reject with tcp reset - nft $op inet pirania forward meta mark 0x66/0xff counter reject + # Needed to change its value because of this error: + # Error: Prefix length 255 is invalid for type of 32 bits width + # add rule inet pirania forward meta mark 0x66/0xff counter reject with tcp reset + + nft $op inet pirania forward meta mark 0x11/0x11 counter reject with tcp reset + nft $op inet pirania forward meta mark 0x11/0x11 counter reject } update_ipsets () { + + # Clear existing entries (optional) + nft set del inet pirania pirania-auth-macs + + # Add mac-adress set + nft add set inet pirania pirania-auth-macs { type ether_addr\; } + # Add authorized MAC addresses + for mac in $(pirania_authorized_macs) ; do + nft add element inet pirania pirania-auth-macs {$mac} + done + + # Create ipv4 set on pirania table + nft add set inet pirania pirania-allow-ipv4 { type ipv4_addr \; flags interval \; comment \"allow ipv4 list\" \; } + # Create ipv6 set on pirania table + nft add set inet pirania pirania-allow-ipv6 { type ipv6_addr \; flags interval \; comment \"allow ipv6 list\" \; } + + # Update pirania-allowlist sets for ipv4 and ipv6 + for ipvX in ipv4 ipv6 ; do + # Don't need this if, since addr type is specified in 'type ipv6_addr' + # if [ "$ipvX" = "ipv4" ] ; then + # family=inet + # else + # family=inet6 + # fi + + # Clear existing entries (optional) + nft flush set inet pirania pirania-allowlist-${ipvX} + + # Add allowed IP addresses/prefixes + for item in $(uci get pirania.base_config.allowlist_$ipvX); do + nft add element inet pirania pirania-allowlist-${ipvX} $item + done + done +} + +#update_ipsets () { # using temporary ipset sets and swaping them so the update # implies minimal disturb to the network and a previous clean-up # is not needed - ipset -exist create pirania-auth-macs hash:mac timeout 0 - ipset -exist create pirania-auth-macs-tmp hash:mac timeout 0 - for mac in $(pirania_authorized_macs) ; do - ipset -exist add pirania-auth-macs-tmp $mac - done - ipset swap pirania-auth-macs-tmp pirania-auth-macs - ipset destroy pirania-auth-macs-tmp - - for ipvX in ipv4 ipv6 ; do - if [ "$ipvX" = "ipv4" ] ; then - family=inet - else - family=inet6 - fi - ipset -exist create pirania-allowlist-${ipvX} hash:net family $family - ipset -exist create pirania-allowlist-${ipvX}-tmp hash:net family $family - for item in $(uci get pirania.base_config.allowlist_$ipvX); do - ipset -exist add pirania-allowlist-${ipvX}-tmp $item - done - ipset swap pirania-allowlist-${ipvX}-tmp pirania-allowlist-${ipvX} - ipset destroy pirania-allowlist-${ipvX}-tmp - done -} +# ipset -exist create pirania-auth-macs hash:mac timeout 0 +# ipset -exist create pirania-auth-macs-tmp hash:mac timeout 0 +# for mac in $(pirania_authorized_macs) ; do +# ipset -exist add pirania-auth-macs-tmp $mac +# done +# ipset swap pirania-auth-macs-tmp pirania-auth-macs +# ipset destroy pirania-auth-macs-tmp +# +# for ipvX in ipv4 ipv6 ; do +# if [ "$ipvX" = "ipv4" ] ; then +# family=inet +# else +# family=inet6 +# fi +# ipset -exist create pirania-allowlist-${ipvX} hash:net family $family +# ipset -exist create pirania-allowlist-${ipvX}-tmp hash:net family $family +# for item in $(uci get pirania.base_config.allowlist_$ipvX); do +# ipset -exist add pirania-allowlist-${ipvX}-tmp $item +# done +# ipset swap pirania-allowlist-${ipvX}-tmp pirania-allowlist-${ipvX} +# ipset destroy pirania-allowlist-${ipvX}-tmp +# done +#} # check if captive-portal is enabled in /etc/config/pirania enabled=$(uci get pirania.base_config.enabled) From d9821846b4e6b8f55a27ad8033a13e2ac7f13a9b Mon Sep 17 00:00:00 2001 From: henmohr Date: Thu, 25 Jul 2024 17:13:33 -0300 Subject: [PATCH 07/24] update captive-portal script --- packages/pirania/files/usr/bin/captive-portal | 46 +++++++++++-------- 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 332d4eee6..c3c58d828 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -3,11 +3,17 @@ clean_tables () { - echo "Cleaning captive-portal rules" - nft flush chain inet pirania prerouting - nft flush chain inet pirania input - nft flush chain inet pirania forward - nft delete table inet pirania + echo "Cleaning captive-portal rules if there's any" + if nft list tables inet | grep -q "pirania"; then + nft delete table inet pirania + fi + nft create table inet pirania + + #echo "Flushing rules" + #nft flush chain inet pirania prerouting + #nft flush chain inet pirania input + #nft flush chain inet pirania forward + } # Not needed anymore, since we are using nft set @@ -18,7 +24,7 @@ clean_tables () { # ipset flush pirania-allowlist-ipv6 #} -set_nftables () { +set_nftables () { echo "Apply captive-portal rules" # Detect wheter add or insert rules append_nft_rules=$(uci get pirania.base_config.append_nft_rules 2> /dev/null) @@ -34,14 +40,19 @@ set_nftables () { nft add chain inet pirania input { type filter hook input priority 0 \; } nft add chain inet pirania forward { type filter hook forward priority 0 \; } - # Redirect to pirania chain every packet from catch_interfaces - for interface in $(uci get pirania.base_config.catch_bridged_interfaces); do - nft $op inet pirania prerouting iifname $interface counter jump pirania - done + # Only accept packets from bridged interfaces - check this out after + #for interface in $(uci get pirania.base_config.catch_bridged_interfaces); do + # nft insert rule inet pirania prerouting iifname $interface accept + #done # stop processing the chain for authorized macs and allowed ips (so they are accepted) - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 ip6 saddr @pirania-allowlist-ipv6 ether saddr @pirania-auth-macs counter redirect to :59080 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 ip6 saddr @pirania-allowlist-ipv6 ether saddr @pirania-auth-macs counter redirect to :59053 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr @pirania-auth-macs counter redirect to :59080 + + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter redirect to :59053 # And in there let's reject them with the best suited reject reason. # Needed to change its value because of this error: @@ -54,8 +65,8 @@ set_nftables () { update_ipsets () { - # Clear existing entries (optional) - nft set del inet pirania pirania-auth-macs + # Create tables and sets + echo "Updating captive-portal rules" # Add mac-adress set nft add set inet pirania pirania-auth-macs { type ether_addr\; } @@ -65,9 +76,9 @@ update_ipsets () { done # Create ipv4 set on pirania table - nft add set inet pirania pirania-allow-ipv4 { type ipv4_addr \; flags interval \; comment \"allow ipv4 list\" \; } + nft add set inet pirania pirania-allowlist-ipv4 { type ipv4_addr \; flags interval \; comment \"allow ipv4 list\" \; } # Create ipv6 set on pirania table - nft add set inet pirania pirania-allow-ipv6 { type ipv6_addr \; flags interval \; comment \"allow ipv6 list\" \; } + nft add set inet pirania pirania-allowlist-ipv6 { type ipv6_addr \; flags interval \; comment \"allow ipv6 list\" \; } # Update pirania-allowlist sets for ipv4 and ipv6 for ipvX in ipv4 ipv6 ; do @@ -83,7 +94,7 @@ update_ipsets () { # Add allowed IP addresses/prefixes for item in $(uci get pirania.base_config.allowlist_$ipvX); do - nft add element inet pirania pirania-allowlist-${ipvX} $item + nft add element inet pirania pirania-allowlist-${ipvX} {$item} done done } @@ -130,7 +141,6 @@ elif [ "$1" = "update" ] ; then exit elif [ "$1" = "clean" ] || [ "$1" = "stop" ] ; then clean_tables - clean_sets exit elif [ "$enabled" = "1" ]; then clean_tables From 8193b3d6c5cdc11ea5e88aa981ff974aef0238d1 Mon Sep 17 00:00:00 2001 From: henmohr Date: Mon, 19 Aug 2024 14:16:29 -0300 Subject: [PATCH 08/24] Update captive-portal --- packages/pirania/files/usr/bin/captive-portal | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index c3c58d828..e26954b08 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -7,7 +7,6 @@ clean_tables () { if nft list tables inet | grep -q "pirania"; then nft delete table inet pirania fi - nft create table inet pirania #echo "Flushing rules" #nft flush chain inet pirania prerouting @@ -34,6 +33,8 @@ set_nftables () { op="insert rule" fi + # Create pirania tables + nft create table inet pirania # Create default tables and chains nft add table inet pirania nft add chain inet pirania prerouting { type nat hook prerouting priority 0 \; } From 1a87a76d43dd21e18fc4940484bacdf3137fbd07 Mon Sep 17 00:00:00 2001 From: henmohr Date: Sat, 31 Aug 2024 19:21:13 -0300 Subject: [PATCH 09/24] Add log info --- packages/pirania/files/usr/bin/captive-portal | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index e26954b08..d3bbe0a94 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -47,13 +47,13 @@ set_nftables () { #done # stop processing the chain for authorized macs and allowed ips (so they are accepted) - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr @pirania-auth-macs counter redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 log prefix "ipv4dns request from LAN: " redirect to :59080 + #nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv6dns request from LAN: " redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr @pirania-auth-macs counter log prefix "SMAC53 request from LAN: " redirect to :59080 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter log prefix "ipv480 request from LAN: " redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv680 request from LAN: " redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter log prefix "SMAC80 request from LAN: " redirect to :59053 # And in there let's reject them with the best suited reject reason. # Needed to change its value because of this error: From e9e2dc821c44f8d2dd026944615089368897a916 Mon Sep 17 00:00:00 2001 From: henmohr Date: Sat, 31 Aug 2024 19:52:49 -0300 Subject: [PATCH 10/24] update rules --- packages/pirania/files/usr/bin/captive-portal | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index e26954b08..293159cec 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -48,13 +48,14 @@ set_nftables () { # stop processing the chain for authorized macs and allowed ips (so they are accepted) nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59080 + #nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59080 nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr @pirania-auth-macs counter redirect to :59080 nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter redirect to :59053 nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59053 nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter redirect to :59053 + # And in there let's reject them with the best suited reject reason. # Needed to change its value because of this error: # Error: Prefix length 255 is invalid for type of 32 bits width From 7bf619a3f4cab921a34a5638dc978c8fed1bc524 Mon Sep 17 00:00:00 2001 From: henmohr Date: Tue, 3 Sep 2024 19:37:27 -0300 Subject: [PATCH 11/24] update --- packages/pirania/files/usr/bin/captive-portal | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 293159cec..4c97f6e1a 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -45,15 +45,21 @@ set_nftables () { #for interface in $(uci get pirania.base_config.catch_bridged_interfaces); do # nft insert rule inet pirania prerouting iifname $interface accept #done - # stop processing the chain for authorized macs and allowed ips (so they are accepted) - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 redirect to :59080 - #nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr @pirania-auth-macs counter redirect to :59080 + nft $op inet pirania prerouting ether saddr @pirania-auth-macs accept + nft $op inet pirania prerouting ip daddr @pirania-allowlist-ipv4 accept + nft $op inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 accept + + + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter log prefix "ipv4DNS request from LAN: " redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv6DNS request from LAN: " redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter log prefix "SMACDNS request from LAN: " redirect to :59053 + + + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs counter log prefix "SMAC80 request from LAN: " redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr != @pirania-allowlist-ipv4 counter log prefix "ipv4HTTP request from LAN: " redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr != @pirania-allowlist-ipv6 counter log prefix "ipv6HTTP request from LAN: " redirect to :59080 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter redirect to :59053 # And in there let's reject them with the best suited reject reason. From 9b1a27b3f7791054993b2e1d2d198a658eee5790 Mon Sep 17 00:00:00 2001 From: henmohr Date: Tue, 3 Sep 2024 19:38:07 -0300 Subject: [PATCH 12/24] update --- packages/pirania/files/usr/bin/captive-portal | 23 ++++++++++++------- .../files/usr/lib/lua/voucher/utils.lua | 5 ++-- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index d3bbe0a94..291cec994 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -1,5 +1,5 @@ #!/bin/sh -# requires nftables, liblucihttp0, liblucihttp-lua, uhttpd and uhttpd-mod-lua +# requires nftables, liblucihttp0, liblucihttp-lua, uhttpd, uhttpd-mod-lua, uhttpd-mod-ubus clean_tables () { @@ -45,15 +45,22 @@ set_nftables () { #for interface in $(uci get pirania.base_config.catch_bridged_interfaces); do # nft insert rule inet pirania prerouting iifname $interface accept #done - # stop processing the chain for authorized macs and allowed ips (so they are accepted) - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 log prefix "ipv4dns request from LAN: " redirect to :59080 - #nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv6dns request from LAN: " redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr @pirania-auth-macs counter log prefix "SMAC53 request from LAN: " redirect to :59080 + nft $op inet pirania prerouting ether saddr @pirania-auth-macs accept + nft $op inet pirania prerouting ip daddr @pirania-allowlist-ipv4 accept + nft $op inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 accept + + + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter log prefix "ipv4DNS request from LAN: " redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv6DNS request from LAN: " redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter log prefix "SMACDNS request from LAN: " redirect to :59053 + + + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs counter log prefix "SMAC80 request from LAN: " redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr != @pirania-allowlist-ipv4 counter log prefix "ipv4HTTP request from LAN: " redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr != @pirania-allowlist-ipv6 counter log prefix "ipv6HTTP request from LAN: " redirect to :59080 + - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter log prefix "ipv480 request from LAN: " redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv680 request from LAN: " redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter log prefix "SMAC80 request from LAN: " redirect to :59053 # And in there let's reject them with the best suited reject reason. # Needed to change its value because of this error: diff --git a/packages/pirania/files/usr/lib/lua/voucher/utils.lua b/packages/pirania/files/usr/lib/lua/voucher/utils.lua index 3589db578..b6e5d943a 100644 --- a/packages/pirania/files/usr/lib/lua/voucher/utils.lua +++ b/packages/pirania/files/usr/lib/lua/voucher/utils.lua @@ -39,11 +39,12 @@ function utils.getIpv4AndMac(ip_address) res.mac = ipv4mac return res else - local ipv6macCommand = "ip neighbor | grep "..ip_address.." | awk -F ' ' '{print $5}' | head -n 1" + # change from neighbor to neigh or n + local ipv6macCommand = "ip neigh | grep "..ip_address.." | awk -F ' ' '{print $5}' | head -n 1" fd6 = io.popen(ipv6macCommand, 'r') ipv6mac = fd6:read('*l') fd6:close() - local ipv4Command = "cat /proc/net/arp | grep "..ipv6mac.." | awk -F ' ' '{print $1}' | head -n 1" + local ipv4cCommand = "cat /proc/net/arp | grep "..ipv6mac.." | awk -F ' ' '{print $1}' | head -n 1" fd4 = io.popen(ipv4Command, 'r') ipv4 = fd4:read('*l') fd4:close() From 36b7906440295c58e23c77976dae52533df7d27d Mon Sep 17 00:00:00 2001 From: henmohr Date: Tue, 3 Sep 2024 19:41:16 -0300 Subject: [PATCH 13/24] ip neighbor not found in version 2e50c6c, changed to neigh or n will work --- packages/pirania/files/usr/lib/lua/voucher/utils.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/pirania/files/usr/lib/lua/voucher/utils.lua b/packages/pirania/files/usr/lib/lua/voucher/utils.lua index 3589db578..bbf22bb7e 100644 --- a/packages/pirania/files/usr/lib/lua/voucher/utils.lua +++ b/packages/pirania/files/usr/lib/lua/voucher/utils.lua @@ -39,7 +39,7 @@ function utils.getIpv4AndMac(ip_address) res.mac = ipv4mac return res else - local ipv6macCommand = "ip neighbor | grep "..ip_address.." | awk -F ' ' '{print $5}' | head -n 1" + local ipv6macCommand = "ip neigh | grep "..ip_address.." | awk -F ' ' '{print $5}' | head -n 1" fd6 = io.popen(ipv6macCommand, 'r') ipv6mac = fd6:read('*l') fd6:close() From 50c9773969ca4fda2f308d5f2818a09eba8cd899 Mon Sep 17 00:00:00 2001 From: henmohr Date: Thu, 5 Sep 2024 15:56:21 -0300 Subject: [PATCH 14/24] update --- packages/pirania/files/usr/bin/captive-portal | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 291cec994..0921d6979 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -45,6 +45,11 @@ set_nftables () { #for interface in $(uci get pirania.base_config.catch_bridged_interfaces); do # nft insert rule inet pirania prerouting iifname $interface accept #done + # Get interfaces where captive-portal will intercept traffic + # catch_interfaces=$(uci get pirania.base_config.catch_bridged_interfaces) + # interfaces=$( echo $catch_interfaces | awk '{print $1 "," $2}') + define catch_interfaces = $(uci get pirania.base_config.catch_bridged_interfaces) + # stop processing the chain for authorized macs and allowed ips (so they are accepted) nft $op inet pirania prerouting ether saddr @pirania-auth-macs accept nft $op inet pirania prerouting ip daddr @pirania-allowlist-ipv4 accept @@ -145,16 +150,23 @@ if [ "$1" = "start" ]; then set_nftables exit elif [ "$1" = "update" ] ; then + echo "Captive-portal updating rules" update_ipsets exit elif [ "$1" = "clean" ] || [ "$1" = "stop" ] ; then clean_tables exit elif [ "$enabled" = "1" ]; then + echo "Captive-portal already enabled, reloading rules" clean_tables update_ipsets set_nftables exit +elif [ "$1" = "enabled" ]; then + uci set pirania.base_config.enabled='1' + # i/o error in my device - checkthis out later + #uci commit + echo "Captive-portal is now enabled" else echo "Pirania captive-portal is disabled. Try running captive-portal start" exit From 36c9a8b47c4e201e077619bd10efa04655403d36 Mon Sep 17 00:00:00 2001 From: henmohr Date: Thu, 5 Sep 2024 15:58:08 -0300 Subject: [PATCH 15/24] Add log info --- packages/pirania/files/usr/bin/captive-portal | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 4c97f6e1a..e55d7b8d1 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -46,6 +46,7 @@ set_nftables () { # nft insert rule inet pirania prerouting iifname $interface accept #done # stop processing the chain for authorized macs and allowed ips (so they are accepted) +<<<<<<< HEAD nft $op inet pirania prerouting ether saddr @pirania-auth-macs accept nft $op inet pirania prerouting ip daddr @pirania-allowlist-ipv4 accept nft $op inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 accept @@ -61,6 +62,15 @@ set_nftables () { nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr != @pirania-allowlist-ipv6 counter log prefix "ipv6HTTP request from LAN: " redirect to :59080 +======= + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 log prefix "ipv4dns request from LAN: " redirect to :59080 + #nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv6dns request from LAN: " redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr @pirania-auth-macs counter log prefix "SMAC53 request from LAN: " redirect to :59080 + + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter log prefix "ipv480 request from LAN: " redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv680 request from LAN: " redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter log prefix "SMAC80 request from LAN: " redirect to :59053 +>>>>>>> 1a87a76d (Add log info) # And in there let's reject them with the best suited reject reason. # Needed to change its value because of this error: From f46cbdea526ca54ab09bcbd1803d48058ccffff6 Mon Sep 17 00:00:00 2001 From: henmohr Date: Mon, 9 Sep 2024 21:36:48 -0300 Subject: [PATCH 16/24] Update utils.lua --- packages/pirania/files/usr/lib/lua/voucher/utils.lua | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/packages/pirania/files/usr/lib/lua/voucher/utils.lua b/packages/pirania/files/usr/lib/lua/voucher/utils.lua index 490d3defb..13498e55f 100644 --- a/packages/pirania/files/usr/lib/lua/voucher/utils.lua +++ b/packages/pirania/files/usr/lib/lua/voucher/utils.lua @@ -39,10 +39,7 @@ function utils.getIpv4AndMac(ip_address) res.mac = ipv4mac return res else -<<<<<<< HEAD -======= - # change from neighbor to neigh or n ->>>>>>> mohr-patch-nftables-1 + # change from neighbor to neigh or n will work local ipv6macCommand = "ip neigh | grep "..ip_address.." | awk -F ' ' '{print $5}' | head -n 1" fd6 = io.popen(ipv6macCommand, 'r') ipv6mac = fd6:read('*l') From 071b90493f947747058b5f124445ea9baaa66e15 Mon Sep 17 00:00:00 2001 From: henmohr Date: Mon, 9 Sep 2024 22:03:58 -0300 Subject: [PATCH 17/24] fix --- packages/pirania/Readme.md | 2 +- packages/pirania/files/usr/bin/captive-portal | 86 +++++-------------- 2 files changed, 23 insertions(+), 65 deletions(-) diff --git a/packages/pirania/Readme.md b/packages/pirania/Readme.md index cb5841829..d93a2377d 100644 --- a/packages/pirania/Readme.md +++ b/packages/pirania/Readme.md @@ -21,7 +21,7 @@ This are the currently implemented features: * Can be used without vouchers. ## Prerequisites -This software assumes that will be running on a OpenWRT/LEDE distribution (because uses uci for config). Needs `ip6tables-mod-nat` and `ipset` packages installed. +This software assumes that will be running on a OpenWRT/LEDE distribution (because uses uci for config). Needs `nftables` and `ipset` packages installed. ## Install diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 0cddffd38..54226d292 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -8,20 +8,8 @@ clean_tables () { nft delete table inet pirania fi - #echo "Flushing rules" - #nft flush chain inet pirania prerouting - #nft flush chain inet pirania input - #nft flush chain inet pirania forward - } -# Not needed anymore, since we are using nft set -#clean_sets () { -# echo "Cleaning ipset lists" -# ipset flush pirania-auth-macs -# ipset flush pirania-allowlist-ipv4 -# ipset flush pirania-allowlist-ipv6 -#} set_nftables () { echo "Apply captive-portal rules" @@ -41,70 +29,40 @@ set_nftables () { nft add chain inet pirania input { type filter hook input priority 0 \; } nft add chain inet pirania forward { type filter hook forward priority 0 \; } - # Only accept packets from bridged interfaces - check this out after - #for interface in $(uci get pirania.base_config.catch_bridged_interfaces); do - # nft insert rule inet pirania prerouting iifname $interface accept - #done -<<<<<<< HEAD - # stop processing the chain for authorized macs and allowed ips (so they are accepted) -<<<<<<< HEAD - nft $op inet pirania prerouting ether saddr @pirania-auth-macs accept - nft $op inet pirania prerouting ip daddr @pirania-allowlist-ipv4 accept - nft $op inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 accept - - - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter log prefix "ipv4DNS request from LAN: " redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv6DNS request from LAN: " redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter log prefix "SMACDNS request from LAN: " redirect to :59053 - - - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs counter log prefix "SMAC80 request from LAN: " redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr != @pirania-allowlist-ipv4 counter log prefix "ipv4HTTP request from LAN: " redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr != @pirania-allowlist-ipv6 counter log prefix "ipv6HTTP request from LAN: " redirect to :59080 - + # Add mac-adress set + nft add set inet pirania pirania-auth-macs { type ether_addr\; } -======= - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 log prefix "ipv4dns request from LAN: " redirect to :59080 - #nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv6dns request from LAN: " redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr @pirania-auth-macs counter log prefix "SMAC53 request from LAN: " redirect to :59080 + # Create ipv4 set on pirania table + nft add set inet pirania pirania-allowlist-ipv4 { type ipv4_addr \; flags interval \; comment \"allow ipv4 list\" \; } + # Create ipv6 set on pirania table + nft add set inet pirania pirania-allowlist-ipv6 { type ipv6_addr \; flags interval \; comment \"allow ipv6 list\" \; } - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter log prefix "ipv480 request from LAN: " redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv680 request from LAN: " redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter log prefix "SMAC80 request from LAN: " redirect to :59053 ->>>>>>> 1a87a76d (Add log info) -======= - # Get interfaces where captive-portal will intercept traffic + # Only accept packets from interfaces defined in catch_bridged_interfaces + catch_interfaces=$(uci get pirania.base_config.catch_bridged_interfaces | sed 's/ /,/g') + # Get interfaces where captive-portal will intercept traffic # catch_interfaces=$(uci get pirania.base_config.catch_bridged_interfaces) # interfaces=$( echo $catch_interfaces | awk '{print $1 "," $2}') - define catch_interfaces = $(uci get pirania.base_config.catch_bridged_interfaces) - + # Test rule bellow + # nft add rule inet pirania prerouting iifname {$catch_interfaces} ether saddr @pirania-auth-macs accept # stop processing the chain for authorized macs and allowed ips (so they are accepted) - nft $op inet pirania prerouting ether saddr @pirania-auth-macs accept - nft $op inet pirania prerouting ip daddr @pirania-allowlist-ipv4 accept - nft $op inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 accept + nft $op inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter accept + nft $op inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter accept + nft $op inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 ct state new,established,related counter accept + #nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter redirect to :59053 + #nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59053 + nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr != @pirania-auth-macs counter redirect to :59053 + + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs counter redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr != @pirania-allowlist-ipv4 counter redirect to :59080 + nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr != @pirania-allowlist-ipv6 counter redirect to :59080 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter log prefix "ipv4DNS request from LAN: " redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter log prefix "ipv6DNS request from LAN: " redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr @pirania-auth-macs counter log prefix "SMACDNS request from LAN: " redirect to :59053 - - - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs counter log prefix "SMAC80 request from LAN: " redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr != @pirania-allowlist-ipv4 counter log prefix "ipv4HTTP request from LAN: " redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr != @pirania-allowlist-ipv6 counter log prefix "ipv6HTTP request from LAN: " redirect to :59080 - - ->>>>>>> mohr-patch-nftables-1 - - # And in there let's reject them with the best suited reject reason. - # Needed to change its value because of this error: - # Error: Prefix length 255 is invalid for type of 32 bits width - # add rule inet pirania forward meta mark 0x66/0xff counter reject with tcp reset nft $op inet pirania forward meta mark 0x11/0x11 counter reject with tcp reset nft $op inet pirania forward meta mark 0x11/0x11 counter reject } + update_ipsets () { # Create tables and sets From 30d23857421280af4ee31490351aaae8d8cdddb9 Mon Sep 17 00:00:00 2001 From: henmohr Date: Mon, 9 Sep 2024 22:07:32 -0300 Subject: [PATCH 18/24] add comments --- packages/pirania/files/usr/bin/captive-portal | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 54226d292..7631473d7 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -39,20 +39,20 @@ set_nftables () { # Only accept packets from interfaces defined in catch_bridged_interfaces catch_interfaces=$(uci get pirania.base_config.catch_bridged_interfaces | sed 's/ /,/g') - # Get interfaces where captive-portal will intercept traffic - # catch_interfaces=$(uci get pirania.base_config.catch_bridged_interfaces) - # interfaces=$( echo $catch_interfaces | awk '{print $1 "," $2}') - # Test rule bellow - # nft add rule inet pirania prerouting iifname {$catch_interfaces} ether saddr @pirania-auth-macs accept - # stop processing the chain for authorized macs and allowed ips (so they are accepted) + + # allow packets from authorized macs nft $op inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter accept + # allow traffic from lan nft $op inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter accept + # same as above nft $op inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 ct state new,established,related counter accept + # redirect to pirania-dnsmasq #nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter redirect to :59053 #nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59053 nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr != @pirania-auth-macs counter redirect to :59053 + # redirect to pirania-uhttpd nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs counter redirect to :59080 nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr != @pirania-allowlist-ipv4 counter redirect to :59080 nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr != @pirania-allowlist-ipv6 counter redirect to :59080 From 86f38f953a2f595aa88598c42a303c1ba6f39c3a Mon Sep 17 00:00:00 2001 From: henmohr Date: Mon, 9 Sep 2024 22:08:38 -0300 Subject: [PATCH 19/24] fix functions --- packages/pirania/files/usr/bin/captive-portal | 71 +++++-------------- 1 file changed, 18 insertions(+), 53 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 7631473d7..8531b4a66 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -68,73 +68,37 @@ update_ipsets () { # Create tables and sets echo "Updating captive-portal rules" - # Add mac-adress set - nft add set inet pirania pirania-auth-macs { type ether_addr\; } + # Add authorized MAC addresses for mac in $(pirania_authorized_macs) ; do nft add element inet pirania pirania-auth-macs {$mac} done - # Create ipv4 set on pirania table - nft add set inet pirania pirania-allowlist-ipv4 { type ipv4_addr \; flags interval \; comment \"allow ipv4 list\" \; } - # Create ipv6 set on pirania table - nft add set inet pirania pirania-allowlist-ipv6 { type ipv6_addr \; flags interval \; comment \"allow ipv6 list\" \; } - # Update pirania-allowlist sets for ipv4 and ipv6 - for ipvX in ipv4 ipv6 ; do - # Don't need this if, since addr type is specified in 'type ipv6_addr' - # if [ "$ipvX" = "ipv4" ] ; then - # family=inet - # else - # family=inet6 - # fi - - # Clear existing entries (optional) - nft flush set inet pirania pirania-allowlist-${ipvX} - - # Add allowed IP addresses/prefixes - for item in $(uci get pirania.base_config.allowlist_$ipvX); do - nft add element inet pirania pirania-allowlist-${ipvX} {$item} - done - done + nft flush set inet pirania pirania-allowlist-ipv4 + nft flush set inet pirania pirania-allowlist-ipv6 + + # Add allowed ip/prefixes + # Get values from allowlist_ipvX and add to pirania-allowlist-ipvX set + ipv4allowlist=$(uci get pirania.base_config.allowlist_ipv4 | sed 's/ /,/g') + nft add element inet pirania pirania-allowlist-ipv4 {$ipv4allowlist} + + ipv6allowlist=$(uci get pirania.base_config.allowlist_ipv6 | sed 's/ /,/g') + nft add element inet pirania pirania-allowlist-ipv6 {$ipv6allowlist} } -#update_ipsets () { - # using temporary ipset sets and swaping them so the update - # implies minimal disturb to the network and a previous clean-up - # is not needed -# ipset -exist create pirania-auth-macs hash:mac timeout 0 -# ipset -exist create pirania-auth-macs-tmp hash:mac timeout 0 -# for mac in $(pirania_authorized_macs) ; do -# ipset -exist add pirania-auth-macs-tmp $mac -# done -# ipset swap pirania-auth-macs-tmp pirania-auth-macs -# ipset destroy pirania-auth-macs-tmp -# -# for ipvX in ipv4 ipv6 ; do -# if [ "$ipvX" = "ipv4" ] ; then -# family=inet -# else -# family=inet6 -# fi -# ipset -exist create pirania-allowlist-${ipvX} hash:net family $family -# ipset -exist create pirania-allowlist-${ipvX}-tmp hash:net family $family -# for item in $(uci get pirania.base_config.allowlist_$ipvX); do -# ipset -exist add pirania-allowlist-${ipvX}-tmp $item -# done -# ipset swap pirania-allowlist-${ipvX}-tmp pirania-allowlist-${ipvX} -# ipset destroy pirania-allowlist-${ipvX}-tmp -# done -#} + + # check if captive-portal is enabled in /etc/config/pirania enabled=$(uci get pirania.base_config.enabled) if [ "$1" = "start" ]; then echo "Running captive-portal" + /etc/init.d/pirania-uhttpd start clean_tables - update_ipsets set_nftables + update_ipsets exit elif [ "$1" = "update" ] ; then echo "Captive-portal updating rules" @@ -146,15 +110,16 @@ elif [ "$1" = "clean" ] || [ "$1" = "stop" ] ; then elif [ "$enabled" = "1" ]; then echo "Captive-portal already enabled, reloading rules" clean_tables +# set_nftables update_ipsets - set_nftables exit elif [ "$1" = "enabled" ]; then uci set pirania.base_config.enabled='1' - # i/o error in my device - checkthis out later + # i/o error in my device - check later #uci commit echo "Captive-portal is now enabled" else echo "Pirania captive-portal is disabled. Try running captive-portal start" exit fi + From e0c125c26f9363e590ea9bbe35a1448da61e936a Mon Sep 17 00:00:00 2001 From: henmohr Date: Wed, 11 Sep 2024 13:09:07 -0300 Subject: [PATCH 20/24] Update rules --- packages/pirania/files/usr/bin/captive-portal | 60 ++++++++----------- 1 file changed, 26 insertions(+), 34 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 8531b4a66..ce16c1f4c 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -7,19 +7,18 @@ clean_tables () { if nft list tables inet | grep -q "pirania"; then nft delete table inet pirania fi - + } - set_nftables () { echo "Apply captive-portal rules" # Detect wheter add or insert rules - append_nft_rules=$(uci get pirania.base_config.append_nft_rules 2> /dev/null) - if [ "$append_nft_rules" = "1" ] ; then - op="add rule" - else - op="insert rule" - fi + #append_nft_rules=$(uci get pirania.base_config.append_nft_rules 2> /dev/null) + #if [ "$append_nft_rules" = "1" ] ; then + # op="add rule" + #else + # op="insert rule" + #fi # Create pirania tables nft create table inet pirania @@ -40,35 +39,31 @@ set_nftables () { # Only accept packets from interfaces defined in catch_bridged_interfaces catch_interfaces=$(uci get pirania.base_config.catch_bridged_interfaces | sed 's/ /,/g') - # allow packets from authorized macs - nft $op inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter accept - # allow traffic from lan - nft $op inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter accept - # same as above - nft $op inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 ct state new,established,related counter accept - - # redirect to pirania-dnsmasq - #nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 counter redirect to :59053 - #nft $op inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 counter redirect to :59053 - nft $op inet pirania prerouting meta l4proto udp udp dport 53 ether saddr != @pirania-auth-macs counter redirect to :59053 - - # redirect to pirania-uhttpd - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs counter redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr != @pirania-allowlist-ipv4 counter redirect to :59080 - nft $op inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr != @pirania-allowlist-ipv6 counter redirect to :59080 - + # Allow MACs already registered + nft add rule inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter accept + #nft add rule inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter accept + #nft add rule inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 ct state new,established,related counter accept - nft $op inet pirania forward meta mark 0x11/0x11 counter reject with tcp reset - nft $op inet pirania forward meta mark 0x11/0x11 counter reject + #nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter redirect to :59053 + #nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 ct state new,established,related counter redirect to :59053 + nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ether saddr != @pirania-auth-macs ct state new,established,related counter redirect to :59053 + + # Redirect unauthorized macs to pirania-uhttp + nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs ct state new,established,related counter redirect to :59080 + #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter redirect to :59080 + #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 ct state new,established,related counter redirect to :59080 + + # reject + nft add rule inet pirania prerouting drop + #nft add rule inet pirania forward meta mark 0x11/0x11 counter reject with tcp reset + #nft add rule inet pirania forward meta mark 0x11/0x11 counter reject } - update_ipsets () { # Create tables and sets echo "Updating captive-portal rules" - # Add authorized MAC addresses for mac in $(pirania_authorized_macs) ; do nft add element inet pirania pirania-auth-macs {$mac} @@ -87,14 +82,12 @@ update_ipsets () { nft add element inet pirania pirania-allowlist-ipv6 {$ipv6allowlist} } - - - # check if captive-portal is enabled in /etc/config/pirania enabled=$(uci get pirania.base_config.enabled) if [ "$1" = "start" ]; then echo "Running captive-portal" + /etc/init.d/pirania-dnsmasq start /etc/init.d/pirania-uhttpd start clean_tables set_nftables @@ -121,5 +114,4 @@ elif [ "$1" = "enabled" ]; then else echo "Pirania captive-portal is disabled. Try running captive-portal start" exit -fi - +fi \ No newline at end of file From 4888ef23be230348dcab52059ec82b01be2fc1d6 Mon Sep 17 00:00:00 2001 From: henmohr Date: Fri, 13 Sep 2024 11:30:50 -0300 Subject: [PATCH 21/24] redirection loop also --- packages/pirania/files/usr/bin/captive-portal | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index ce16c1f4c..425f7dac5 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -39,6 +39,10 @@ set_nftables () { # Only accept packets from interfaces defined in catch_bridged_interfaces catch_interfaces=$(uci get pirania.base_config.catch_bridged_interfaces | sed 's/ /,/g') + + nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ether saddr != @pirania-auth-macs ct state new,established,related counter redirect to :59053 + nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs ct state new,established,related counter redirect to :59080 + # Allow MACs already registered nft add rule inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter accept #nft add rule inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter accept @@ -46,10 +50,8 @@ set_nftables () { #nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter redirect to :59053 #nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 ct state new,established,related counter redirect to :59053 - nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ether saddr != @pirania-auth-macs ct state new,established,related counter redirect to :59053 # Redirect unauthorized macs to pirania-uhttp - nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs ct state new,established,related counter redirect to :59080 #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter redirect to :59080 #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 ct state new,established,related counter redirect to :59080 From b5887d4556286160cb13af15964f7939dcc139cd Mon Sep 17 00:00:00 2001 From: henmohr Date: Tue, 17 Sep 2024 10:59:52 -0300 Subject: [PATCH 22/24] fix redirection loop --- packages/pirania/files/usr/bin/captive-portal | 25 ++++++++++++------- .../files/usr/lib/lua/voucher/utils.lua | 1 - 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index 425f7dac5..de945b6f8 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -39,26 +39,33 @@ set_nftables () { # Only accept packets from interfaces defined in catch_bridged_interfaces catch_interfaces=$(uci get pirania.base_config.catch_bridged_interfaces | sed 's/ /,/g') + nft add rule inet pirania prerouting meta l4proto tcp tcp dport 22 accept - nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ether saddr != @pirania-auth-macs ct state new,established,related counter redirect to :59053 - nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs ct state new,established,related counter redirect to :59080 + + nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ether saddr != @pirania-auth-macs ct state new,established,related counter log prefix "SMACDNS" redirect to :59053 + #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs ct state new,established,related counter log prefix "SMACHTTP" redirect to :59080 + + nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter log prefix "IPv4HTTP" redirect to :59080 + #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 ct state new,established,related counter log prefix "IPV6HTTP" redirect to :59080 # Allow MACs already registered - nft add rule inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter accept - #nft add rule inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter accept - #nft add rule inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 ct state new,established,related counter accept + nft add rule inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter log prefix "ValidSMAC" accept + + + + #nft add rule inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter log prefix "ACCEPT-ipv4" accept + #nft add rule inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 ct state new,established,related counter log prefix "ACCEPT-ipv6" accept #nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter redirect to :59053 #nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 ct state new,established,related counter redirect to :59053 - # Redirect unauthorized macs to pirania-uhttp - #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter redirect to :59080 - #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 ct state new,established,related counter redirect to :59080 # reject - nft add rule inet pirania prerouting drop + + #nft add rule inet pirania prerouting drop #nft add rule inet pirania forward meta mark 0x11/0x11 counter reject with tcp reset #nft add rule inet pirania forward meta mark 0x11/0x11 counter reject + } update_ipsets () { diff --git a/packages/pirania/files/usr/lib/lua/voucher/utils.lua b/packages/pirania/files/usr/lib/lua/voucher/utils.lua index 13498e55f..29d1ac563 100644 --- a/packages/pirania/files/usr/lib/lua/voucher/utils.lua +++ b/packages/pirania/files/usr/lib/lua/voucher/utils.lua @@ -39,7 +39,6 @@ function utils.getIpv4AndMac(ip_address) res.mac = ipv4mac return res else - # change from neighbor to neigh or n will work local ipv6macCommand = "ip neigh | grep "..ip_address.." | awk -F ' ' '{print $5}' | head -n 1" fd6 = io.popen(ipv6macCommand, 'r') ipv6mac = fd6:read('*l') From 1874558274e40a1eb2ca60a487acd5deef3009df Mon Sep 17 00:00:00 2001 From: henmohr Date: Tue, 17 Sep 2024 11:23:35 -0300 Subject: [PATCH 23/24] fix utils.lua --- packages/pirania/files/usr/lib/lua/voucher/utils.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/pirania/files/usr/lib/lua/voucher/utils.lua b/packages/pirania/files/usr/lib/lua/voucher/utils.lua index 29d1ac563..f1f472314 100644 --- a/packages/pirania/files/usr/lib/lua/voucher/utils.lua +++ b/packages/pirania/files/usr/lib/lua/voucher/utils.lua @@ -44,7 +44,7 @@ function utils.getIpv4AndMac(ip_address) ipv6mac = fd6:read('*l') fd6:close() local ipv4cCommand = "cat /proc/net/arp | grep "..ipv6mac.." | awk -F ' ' '{print $1}' | head -n 1" - fd4 = io.popen(ipv4Command, 'r') + fd4 = io.popen(ipv4cCommand, 'r') ipv4 = fd4:read('*l') fd4:close() local res = {} From 358c2039ca372ba3eeec933bb90c659e096c7788 Mon Sep 17 00:00:00 2001 From: henmohr Date: Tue, 24 Sep 2024 19:12:16 -0300 Subject: [PATCH 24/24] fix order of rules --- packages/pirania/Readme.md | 21 ------------------- packages/pirania/files/usr/bin/captive-portal | 21 ++++++++----------- 2 files changed, 9 insertions(+), 33 deletions(-) diff --git a/packages/pirania/Readme.md b/packages/pirania/Readme.md index d93a2377d..bbf447bea 100644 --- a/packages/pirania/Readme.md +++ b/packages/pirania/Readme.md @@ -211,24 +211,3 @@ The flow without using vouchers (read for access mode) is: * Once there if the client has js support then a countdown of 15 seconds is shown and when it reaches 0 the user can click on continue, which sends a GET request to `http://minodo.info/cgi-bin/pirania/authorize_mac?prev=http%3A%2F%2Foriginal.org%2Fbaz%2F%3Ffoo%3Dbar` which will trigger a redirection to `prev` url. * If there the client has no js support, then the buttonis enabled inmediately, and after clicking in continue a redirection to `url_authenticated` is triggered. - -### Common errors - -If you flashed an old device (e.g. TP-Link Archer C50 V1) you may need to update some files. - -#### 1) opkg update gives error -when you run `opkg update` and this error occur: -``` -Collected errors: - * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/libremesh/Packages.gz, wget returned 8. - * opkg_download: Failed to download http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/profiles/Packages.gz, wget returned 8.` -``` -Do the following: -``` --> on the router, at the file `/etc/opkg/distfeeds.conf` comment the following lines: -src/gz libremesh_libremesh http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/libremesh -src/gz libremesh_profiles http://downloads.openwrt.org/releases/19.07.10/packages/mipsel_24kc/profiles -``` - -#### 2) - diff --git a/packages/pirania/files/usr/bin/captive-portal b/packages/pirania/files/usr/bin/captive-portal index de945b6f8..99d3adae7 100755 --- a/packages/pirania/files/usr/bin/captive-portal +++ b/packages/pirania/files/usr/bin/captive-portal @@ -39,23 +39,19 @@ set_nftables () { # Only accept packets from interfaces defined in catch_bridged_interfaces catch_interfaces=$(uci get pirania.base_config.catch_bridged_interfaces | sed 's/ /,/g') - nft add rule inet pirania prerouting meta l4proto tcp tcp dport 22 accept - + # stop processing the chain for authorized macs and allowed ips (so they are accepted) + nft add rule inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter log prefix "ValidSMAC" accept + nft add rule inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter log prefix "ACCEPT-ipv4" accept + nft add rule inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 ct state new,established,related counter log prefix "ACCEPT-ipv6" accept + # send DNS requests, that are not from valid ips or macs, to our own captive portal DNS at 59053 nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ether saddr != @pirania-auth-macs ct state new,established,related counter log prefix "SMACDNS" redirect to :59053 - #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs ct state new,established,related counter log prefix "SMACHTTP" redirect to :59080 + # redirect packets with dest port 80 to port 59080 of this host (the captive portal page). + nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ether saddr != @pirania-auth-macs ct state new,established,related counter log prefix "SMACHTTP" redirect to :59080 - nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter log prefix "IPv4HTTP" redirect to :59080 + #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter log prefix "IPv4HTTP" redirect to :59080 #nft add rule inet pirania prerouting meta l4proto tcp tcp dport 80 ip6 saddr @pirania-allowlist-ipv6 ct state new,established,related counter log prefix "IPV6HTTP" redirect to :59080 - # Allow MACs already registered - nft add rule inet pirania prerouting ether saddr @pirania-auth-macs ct state new,established,related counter log prefix "ValidSMAC" accept - - - - #nft add rule inet pirania prerouting ip daddr @pirania-allowlist-ipv4 ct state new,established,related counter log prefix "ACCEPT-ipv4" accept - #nft add rule inet pirania prerouting ip6 daddr @pirania-allowlist-ipv6 ct state new,established,related counter log prefix "ACCEPT-ipv6" accept - #nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ip saddr @pirania-allowlist-ipv4 ct state new,established,related counter redirect to :59053 #nft add rule inet pirania prerouting meta l4proto udp udp dport 53 ip6 saddr @pirania-allowlist-ipv6 ct state new,established,related counter redirect to :59053 @@ -76,6 +72,7 @@ update_ipsets () { # Add authorized MAC addresses for mac in $(pirania_authorized_macs) ; do nft add element inet pirania pirania-auth-macs {$mac} + echo "Adicionando enderecos:" $mac done # Update pirania-allowlist sets for ipv4 and ipv6