uspot: use a single fwmark

Default firewall rules apply to unauthenticated clients, there is no need to specifically fwmark their packets. This reduces the firewall complexity and makes very clear what happens "by default". Add a preliminary README with a sample firewall illustrating this setup. Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
2025-10-29 17:42:41 +00:00 · 2023-05-31 10:36:40 +02:00
parent cf2f80fd3c
commit 35e1cbd15b
4 changed files with 68 additions and 5 deletions
--- a/feeds/ucentral/uspot/README.md
+++ b/feeds/ucentral/uspot/README.md
@@ -0,0 +1,65 @@
+# uspot
+
+A captive portal
+
+##
+
+TBC
+
+## Basic firewall setup
+
+In /etc/config/firewall:
+
+```
+config zone
+	option name 'captive'
+	list network 'captive'
+	option input 'REJECT'
+	option output 'ACCEPT'
+	option forward 'REJECT'
+
+config redirect
+	option name 'Redirect-unauth-captive-CPD'
+	option src 'captive'
+	option src_dport '80'
+	option proto 'tcp'
+	option target 'DNAT'
+	option reflection '0'
+	option mark '!1/127'
+
+config rule
+	option name 'Allow-captive-CPD-UAM'
+	option src 'captive'
+	option dest_port '80 3990'
+	option proto 'tcp'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Forward-auth-captive'
+	option src 'captive'
+	option dest 'wan'
+	option proto 'any'
+	option target 'ACCEPT'
+	option mark '1/127'
+
+config rule
+	option name 'Allow-DHCP-captive'
+	option src 'captive'
+	option proto 'udp'
+	option dest_port '67'
+	option target 'ACCEPT'
+
+config rule
+	option name 'Allow-DNS-captive'
+	option src 'captive'
+	list proto 'udp'
+	list proto 'tcp'
+	option dest_port '53'
+	option target 'ACCEPT'
+
+config include
+	option type 'nftables'
+	option path '/usr/share/uspot/firewall.nft'
+	option position 'chain-post'
+	option chain 'mangle_postrouting'
+```
--- a/feeds/ucentral/uspot/files/usr/bin/captive
+++ b/feeds/ucentral/uspot/files/usr/bin/captive
@@ -51,11 +51,9 @@ function generate_spotfilter(name) {
 		{
 			index: 0,
 			device_macaddr,
-			fwmark: 1,
-			fwmark_mask: 127
 		}, {
 			index: 1,
-			fwmark: 2,
+			fwmark: 1,
 			fwmark_mask: 127
 		}
 	];
--- a/feeds/ucentral/uspot/files/usr/share/uspot/firewall.ipt
+++ b/feeds/ucentral/uspot/files/usr/share/uspot/firewall.ipt
@@ -1,3 +1,3 @@
 *mangle
-A POSTROUTING -m mark --mark 0x2 -j CONNMARK --set-mark 0x2
+-A POSTROUTING -m mark --mark 0x1 -j CONNMARK --set-mark 0x2
 COMMIT
--- a/feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft
+++ b/feeds/ucentral/uspot/files/usr/share/uspot/firewall.nft
@@ -1 +1 @@
-mark 0x2 ct mark set 0x2
+mark 0x1 ct mark set 0x2