From 8e7701423def9094584c5e5ae99655abc6e60282 Mon Sep 17 00:00:00 2001
From: Jeltz <tom.barthe+aurore@ens-paris-saclay.fr>
Date: Wed, 10 Mar 2021 06:57:59 +0100
Subject: [PATCH] Add internet access to signup network

---
 .../templates/nftables.d/40-signup.conf.j2      |  4 ++--
 .../templates/nftables.d/50-filter.conf.j2      | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/roles/nftables_router/templates/nftables.d/40-signup.conf.j2 b/roles/nftables_router/templates/nftables.d/40-signup.conf.j2
index e2e067d..1b1938d 100644
--- a/roles/nftables_router/templates/nftables.d/40-signup.conf.j2
+++ b/roles/nftables_router/templates/nftables.d/40-signup.conf.j2
@@ -29,8 +29,8 @@ table inet signup {
 
         # Si la machine tente de se connecter à un des hôtes déclencheurs,
         # on enregistre son adresse MAC et on laisse passer la connexion
-        ip daddr $signup_trigger_v4 goto trigger
-        ip6 daddr $signup_trigger_v6 goto trigger
+        ip daddr $signup_triggers_v4 goto trigger
+        ip6 daddr $signup_triggers_v6 goto trigger
         
         # La machine a tenté de se connecter vers une destination qui ne
         # déclenche pas l'accès à Internet, donc on bloque
diff --git a/roles/nftables_router/templates/nftables.d/50-filter.conf.j2 b/roles/nftables_router/templates/nftables.d/50-filter.conf.j2
index 795d506..a19265f 100644
--- a/roles/nftables_router/templates/nftables.d/50-filter.conf.j2
+++ b/roles/nftables_router/templates/nftables.d/50-filter.conf.j2
@@ -29,6 +29,10 @@ table inet filter {
         log prefix "in-from-member" group 0
     }
 
+    chain input_from_signup {
+        log prefix "in-from-signup" group 0
+    }
+
     chain input_from_svc {
         log prefix "in-from-svc" group 0
     }
@@ -55,6 +59,9 @@ table inet filter {
         ip saddr $member_v4 goto input_from_member
         ip6 saddr $member_v6 goto input_from_member
 
+        ip saddr $signup_v4 goto input_from_signup
+        ip6 saddr $signup_v6 goto input_from_signup
+
         ip saddr $svc_v4 goto input_from_svc
         ip6 saddr $svc_v6 goto input_from_svc
 
@@ -89,6 +96,9 @@ table inet filter {
         goto forward_to_member_re2o_ports
     }
 
+    chain forward_to_signup {
+    }
+
     chain forward_to_svc {
     }
 
@@ -124,6 +134,10 @@ table inet filter {
         ip saddr $member_v4 accept
         ip6 saddr $member_v6 accept
 
+        # Les réseaus d'inscription ont accès à internet
+        ip saddr $signup_v4 accept
+        ip6 saddr $signup_v6 accept
+
         # Les réseaux de services ont accès à Internet
         ip saddr $svc_v4 accept
         ip6 saddr $svc_v6 accept
@@ -152,6 +166,9 @@ table inet filter {
         ip daddr $member_v4 goto forward_to_member
         ip6 daddr $member_v6 goto forward_to_member
 
+        ip daddr $signup_v4 goto forward_to_signup
+        ip6 daddr $signup_v6 goto forward_to_signup
+
         ip daddr $svc_v4 goto forward_to_svc
         ip6 daddr $svc_v6 goto forward_to_svc