Skip to content

Pirania hackaton final fix #1239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
luandro wants to merge 21 commits into
base: master
Choose a base branch
from
Draft

Pirania hackaton final fix #1239

luandro wants to merge 21 commits into from

Conversation

@luandro
Copy link
Contributor

@luandro luandro commented Jan 21, 2026

This is a continuation of the work on #1224

usg-ishimura and others added 13 commits October 1, 2025 16:14
@usg-ishimura
fixed portal front-end js errors
eddadc2
@usg-ishimura
fixed portal and read_for_access 502 bad gateway redirect bug
a6999cc
@usg-ishimura
aligned read_for_access test to 502 bad gateway bug fix
538141a
@usg-ishimura
added packets drop for unauthorized macs on 443 and restored init.d p…
c8c011f 
…irania script functionality
@luandro
packages: document pirania system
02b10f3
@luandro
docs: add agents instructions
ce0a2b2
@luandro
packages: add pirania implementation notes
3db74cf
@vractal
Adiciona doc extensa (gerada por ia)
fe002a1
@luandro
Merge pull request #1 from vractal/doc-atualizada
aaef623 
Adiciona doc extensa (gerada por ia)
@vractal
Update nft rules to block all protocols when no voucher
b48754d
@luandro
fix(pirania): correct nftables table name typo and add logging
9c5a632 
- Fix typo: 'pireania' -> 'pirania' in forward chain definition
- Add counter and log prefix "DROP-UNAUTH" to catch-all drop rule
- Update comment to better describe the rule's purpose
@luandro
Merge pull request #2 from vractal/fix-nft-rules
dda82aa 
Update nft rules to block all protocols when no voucher
@luandro
Merge branch 'libremesh:master' into hotfix/pirania
bbe3b1e
@luandro luandro marked this pull request as draft January 21, 2026 21:08
@luandro
packages: allowlist destinations in forward
a8c5aad
@luandro
feat(pirania): add Tranca Redes scheduled access control
31a02d4 
Implements a second-layer access control system that restricts internet
access during configurable time periods (e.g., 20:00-07:00 on weekdays).

Key features:
- Scheduled restrictions with day-of-week and time range configuration
- Unrestricted vouchers that bypass Tranca restrictions entirely
- Category-based allowlists during restricted periods (e.g., messenger IPs)
- Cron-based scheduler that evaluates schedule every minute
- Smart nftables rule rebuilding on state changes

During Tranca Redes active periods:
- Authorized MACs can only reach category allowlist destinations
- Unrestricted voucher holders bypass all restrictions
- Unauthorized MACs remain blocked as usual

Feature is disabled by default (enabled='0').
@luandro
fix(pirania): replace lucihttp with pure Lua URL utilities
2bce427 
Replace the deprecated liblucihttp-lua dependency with pure Lua
implementations for URL encoding/decoding. This improves compatibility
with newer OpenWrt versions where lucihttp is being phased out.

Changes:
- Implement RFC 3986 compliant urlencode() using pure Lua
- Implement urldecode() supporting both %XX and + encoding
- Implement urldecode_params() for query string parsing
- Remove liblucihttp-lua from package dependencies
- Add comprehensive unit tests for URL utilities (31 tests)

The implementation handles all existing use cases including:
- Voucher code parsing from query strings
- URL encoding for redirect parameters
- Support for & and ; as query parameter separators
@luandro
pirania: disable nftables per-packet logs
13f5351
@ilario
Copy link
Member

ilario commented Jan 23, 2026

Looks amazing :D

In 6786e6e @henmohr removed the usage of ipset, but somehow the ipset dependency is still in Makefile. Can you take advantage of all this amazing hackaton for trying if it is safe to remove it? Also, ip6tables-mod-nat should not be required anymore as @henmohr moved everything to nftables, right?

@luandro
packages: guard pirania updates when disabled
3b05ba5
@luandro
packages: pirania switch to nftables
c163aea
@luandro
feat(pirania): add nftables interface scoping for catch_interfaces
eef46ef 
Implement catch_interfaces and catch_bridged_interfaces to scope
Pirania captive portal to specific interfaces only, preventing mesh
traffic from being affected.

Changes:
- Add kmod-nft-bridge dependency for bridge-family nftables support
- Create bridge pirania table with L2 marking (mark 0x9124714)
- Add pirania-catch-ifaces and pirania-catch-bridge-ifaces sets
- Use regular chains (pirania_prerouting, pirania_forward) with
  base chain gating via interface match or mark match
- Update clean_tables() to remove both bridge and inet tables
- Update update_ipsets() to populate interface sets from UCI
- Default config now uses catch_bridged_interfaces (wlan0-ap) instead
  of catch_interfaces (br-lan) to avoid catching mesh traffic

This preserves legacy behavior when interfaces are configured while
allowing mesh-safe defaults that only catch Wi-Fi AP traffic.
@luandro
docs(pirania): update interface scoping plan with implementation notes
49ca86c 
- Add critical note about chain creation order (regular chains before
  base chains that reference them)
- Mark validated checklist items from testing on router
- Add note about adding wlan0-apname to catch list for the example router
@usg-ishimura usg-ishimura mentioned this pull request Jan 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@luandro @ilario @usg-ishimura @vractal