From 9bb405536712b79f8b77771707c5dbc4002fc3f2 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 11 Nov 2017 12:47:37 +0000
Subject: [PATCH] captive portal: Require authorization before redirecting to
 proxy

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/core/117/filelists/files | 1 +
 src/initscripts/system/firewall           | 8 ++++----
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/config/rootfiles/core/117/filelists/files b/config/rootfiles/core/117/filelists/files
index 6fef8c08ec..59bd5dfcca 100644
--- a/config/rootfiles/core/117/filelists/files
+++ b/config/rootfiles/core/117/filelists/files
@@ -5,4 +5,5 @@ srv/web/ipfire/html/themes/darkdos/include/functions.pl
 srv/web/ipfire/html/themes/ipfire-legacy/include/functions.pl
 srv/web/ipfire/html/themes/ipfire/include/functions.pl
 srv/web/ipfire/html/themes/maniac/include/functions.pl
+usr/local/bin/captivectrl
 var/ipfire/network-functions.pl
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index c4d2fefe41..cab791c1f7 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -310,6 +310,10 @@ iptables_init() {
 	iptables -t nat -N NAT_SOURCE
 	iptables -t nat -A POSTROUTING -j NAT_SOURCE
 
+	# Captive Portal
+	iptables -t nat -N CAPTIVE_PORTAL
+	iptables -t nat -A PREROUTING -j CAPTIVE_PORTAL
+
 	# Custom prerouting chains (for transparent proxy)
 	iptables -t nat -N SQUID
 	iptables -t nat -A PREROUTING -j SQUID
@@ -344,10 +348,6 @@ iptables_init() {
 	iptables -N UPNPFW
 	iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
 
-	# Captive Portal
-	iptables -t nat -N CAPTIVE_PORTAL
-	iptables -t nat -A PREROUTING -j CAPTIVE_PORTAL
-
 	# RED chain, used for the red interface
 	iptables -N REDINPUT
 	iptables -A INPUT -j REDINPUT
-- 
2.39.2