From 321130fbe30506217be23f9eea6c19d93a95c0f2 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sun, 4 Sep 2016 09:45:53 +0100
Subject: [PATCH] captive: Do not generally allow access to TCP/1013

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/misc-progs/captivectrl.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/misc-progs/captivectrl.c b/src/misc-progs/captivectrl.c
index 378ba0180..1b6408426 100644
--- a/src/misc-progs/captivectrl.c
+++ b/src/misc-progs/captivectrl.c
@@ -260,6 +260,13 @@ static int add_interface_rule(const char* intf, int allow_webif_access) {
 	if (r)
 		return r;
 
+	// Allow access to captive portal site
+	snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
+		" -d %s -p tcp --dport %d -j RETURN", intf, REDIRECT_PORT);
+	r = safe_system(command);
+	if (r)
+		return r;
+
 	return 0;
 }
 
@@ -293,13 +300,6 @@ static int add_interface_rules(struct keyvalue* captive_portal_settings, struct
 	if (r)
 		return r;
 
-	char command[STRING_SIZE];
-	snprintf(command, sizeof(command), IPTABLES " -A CAPTIVE_PORTAL_CLIENTS"
-		" -p tcp --dport %d -j RETURN", REDIRECT_PORT);
-	r = safe_system(command);
-	if (r)
-		return r;
-
 	// Add the last rule
 	r = safe_system(IPTABLES " -A CAPTIVE_PORTAL_CLIENTS -j DROP");
 	if (r)
-- 
2.39.2